A Digital Forensics Approach for Lost Secondary Partition Analysis using Master Boot Record Structured Hard Disk Drives

The development and widespread use of computer systems has increased the need for secure storage of data. At the same time, the analysis of digital data storage devices is very important for forensic IT professionals who aim to access information to clarify the crime. File systems of disk drives use partition structures to securely store data and prevent problems such as corruption. In this study, deletion or corruption of partitions on commonly used DOS / Master Boot Record (MBR) configured hard disk drives are investigated by using forensic tools. In order to analyze hard disk drives, Forensic Tool Kit (FTK), Magnet AXIOM, Encase, Autopsy and The Sleuth Kit (TSK), which are widely used as commercial and open source, are analyzed by using a presented scenario. In the scenario, the primary partition and the extended partition are created using the DOS / MBR partitioning structure on the test disk. Test files are added to the sections and the sections are deleted. The digital forensics tools were tested on the presented scenario. According to the obtained results, TSK and Encase are successful tools for DOS / MBR structured HDD analysis. However, FTK, Magnet AXIOM and Autopsy could not achieve information detection on DOS/MBR structured disks. These results clearly demonstrated that crime data can be hidden in MBR structured HDD. To carve these data, the correct methodology should be selected.


[1] C. Altheide and H. Carvey, Digital forensics with open source tools. Elsevier, 2011.

[2] B. Carrier, "Open source digital forensics tools: The legal argument," stake, 2002.

[3] R. Harris, "Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem," digital investigation, vol. 3, pp. 44-49, 2006.

[4] G. Horsman, "Formalising investigative decision making in digital forensics: proposing the Digital Evidence Reporting and Decision Support (DERDS) framework," Digital Investigation, vol. 28, pp. 146-151, 2019.

[5] T. Vidas, B. Kaplan, and M. Geiger, "OpenLV: Empowering investigators and first-responders in the digital forensics process," Digital Investigation, vol. 11, pp. S45-S53, 2014.

[6] S. L. Garfinkel, "Digital forensics research: The next 10 years," digital investigation, vol. 7, pp. S64-S73, 2010.

[7] Y. Guo, J. Slay, and J. Beckett, "Validation and verification of computer forensic software tools—Searching Function," digital investigation, vol. 6, pp. S12-S22, 2009.

[8] A. C. Bogen and D. A. Dampier, "Unifying computer forensics modeling approaches: a software engineering perspective," in First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05), 2005: IEEE, pp. 27-39.

[9] M. Wundram, F. C. Freiling, and C. Moch, "Anti-forensics: the next step in digital forensics tool testing," in 2013 seventh international conference on it security incident management and it forensics, 2013: IEEE, pp. 83-97.

[10] G. C. Kessler, "Anti-forensics and the digital investigator," 2007.

[11] A. Khan, U. K. Wiil, and N. Memon, "Digital forensics and crime investigation: Legal issues in prosecution at national level," in 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, 2010: IEEE, pp. 133-140.

[12] R. W. Taylor, E. J. Fritsch, and J. Liederbach, Digital crime and digital terrorism. Prentice Hall Press, 2014.

[13] M. Geiger, "Evaluating Commercial Counter-Forensic Tools," in DFRWS, 2005.

[14] S. Garfinkel, "Anti-forensics: Techniques, detection and countermeasures," in 2nd International Conference on i-Warfare and Security, 2007, vol. 20087, pp. 77-84.

[15] B. J. Nikkel, "Forensic analysis of GPT disks and GUID partition tables," Digital Investigation, vol. 6, no. 1-2, pp. 39-47, 2009.

[16] Y. Liu, J. Fang, and C. Han, "A new R-tree node splitting algorithm using MBR partition policy," in 2009 17th International Conference on Geoinformatics, 2009: IEEE, pp. 1-6.

[17] G. Horsman, "Tool testing and reliability issues in the field of digital forensics," Digital Investigation, vol. 28, pp. 163-175, 2019.

[18] S. Bommisetty, R. Tamma, and H. Mahalik, Practical mobile forensics. Packt Publishing Ltd, 2014.

[19] H. Mahalik, R. Tamma, and S. Bommisetty, Practical Mobile Forensics. Packt Publishing Ltd, 2016.

[20] M. Al Fahdi, N. L. Clarke, and S. M. Furnell, "Challenges to digital forensics: A survey of researchers & practitioners attitudes and opinions," in 2013 Information Security for South Africa, 2013: IEEE, pp. 1-8.

[21] G. Horsman and D. Errickson, "When finding nothing may be evidence of something: Anti-forensics and digital tool marks," Science & Justice, vol. 59, no. 5, pp. 565-572, 2019.

[22] K. Conlan, I. Baggili, and F. Breitinger, "Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy," Digital investigation, vol. 18, pp. S66-S75, 2016.

[23] T. Göbel and H. Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, vol. 24, pp. S111-S120, 2018.

[24] T. Haruyama and H. Suzuki, "One-byte modification for breaking memory forensic analysis," Black Hat Europe, 2012.

[25] A. Prakash, E. Venkataramani, H. Yin, and Z. Lin, "Manipulating semantic values in kernel data structures: Attack assessments and implications," in 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2013: IEEE, pp. 1-12.

[26] K. Lee, H. Hwang, K. Kim, and B. Noh, "Robust bootstrapping memory analysis against anti-forensics," Digital Investigation, vol. 18, pp. S23-S32, 2016.

[27] S. Rekhis and N. Boudriga, "A system for formal digital forensic investigation aware of anti-forensic attacks," IEEE transactions on information forensics and security, vol. 7, no. 2, pp. 635-650, 2011.

[28] A. Regenscheid, L. Feldman, and G. Witte, "NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization," National Institute of Standards and Technology, 2015. [29] D. Hurlbut-AccessData, "Fuzzy Hashing for Digital Forensic Investigators," 2009.

[30] K. Hausknecht, D. Foit, and J. Burić, "RAM data significance in digital forensics," in 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2015: IEEE, pp. 1372-1375.

[31] E. Casey and G. J. Stellatos, "The impact of full disk encryption on digital forensics," ACM SIGOPS Operating Systems Review, vol. 42, no. 3, pp. 93-98, 2008.

[32] B. Dolan-Gavitt, "Forensic analysis of the Windows registry in memory," digital investigation, vol. 5, pp. S26-S32, 2008.

[33] T. Sammes and B. Jenkinson, Forensic computing. Springer, 2007.

[34] B. Carrier, File system forensic analysis. Addison-Wesley Professional, 2005.

[35] K. Sindhu and B. Meshram, "Digital forensics and cyber crime datamining," 2012.

[36] B. Carrier, "Defining digital forensic examination and analysis tools using abstraction layers," International Journal of digital evidence, vol. 1, no. 4, pp. 1-12, 2003.

[37] K. Eckstein and M. Jahnke, "Data Hiding in Journaling File Systems," in DFRWS, 2005.

[38] F. Ahsan, M. I. Lali, I. Ahmad, A. Ishaq, and S. Mohsin, "Exploring the effect of directory depth on file access for FAT and NTFS file systems," ISTASC, vol. 8, pp. 130-135, 2008.

[39] J. Davis, J. MacLean, and D. Dampier, "Methods of information hiding and detection in file systems," in 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, 2010: IEEE, pp. 66-69.

[40] W. Hong-biao, "The Features and Applications of FAT and NTFS File Systems [J]," Computer Knowledge and Technology (Academic Exchange), vol. 6, 2007.

[41] P. Nabity and B. J. Landry, "Recovering deleted and wiped files: A digital forensic comparison of FAT32 and NTFS file systems using evidence eliminator," ed: SWDSI, 2013.

[42] M. Trawicki, "File Systems in Computers," 2002.

[43] J. M. Rodriguez and J. Duffany, "Computer Forensics Tutorial Disk File Systems (FAT16, FAT32, NTFS)," POLYTECHNIC UNIV OF PUERTO RICO SAN JUAN, 2012.

[44] N. Zhang, Y. Jiang, and J. Wang, "The Research of Data Recovery on Windows File Systems," in 2020 International Conference on Intelligent Transportation, Big Data & Smart City (ICITBS), 2020: IEEE, pp. 644-647.

[45] S. G. Taskin and E. U. Kucuksille, "Recovering Data Using MFT Records in NTFS File System," Academic Perspective Procedia, vol. 1, no. 1, pp. 448-457, 2018.

[46] K. L. Rusbarsky and K. City, "A forensic comparison of NTFS and FAT32 file systems," http://www. marshall. edu/forensics/files/RusbarskyKelsey_Research-Paper-Summer-2012. pdf. Fetched: July, vol. 6, p. 2017, 2012.

Kaynak Göster