Media analyses based on Microsoft® NTFS file ownership

Kerr, Fred C.

doi:10.1016/j.forsciint.2006.06.014

« Previous Next »Forensic Science International
Volume 162, Issue 1 , Pages 44-48, 16 October 2006

Media analyses based on Microsoft^® NTFS file ownership

Information Systems Management, Applied Management and Decision Sciences, Walden University, 155 Fifth Avenue, Minneapolis, MN 55401, USA

published online 31 July 2006.

Abstract

The ever-increasing size of digital media presents a continuous challenge to digital investigators who must rapidly assess computer media to find and identify evidence. To meet this challenge, methods must continuously be sought to expedite the examination process. This paper investigates using the file ownership property as an analytical tool focusing on activity by individuals associated with the computer. Research centered on the New Technology File System (NTFS), which is the default file system in Microsoft^® Windows Operating System (OS). This was done because Microsoft^®'s worldwide market penetration makes Windows^® and NTFS the most likely OS and file system to be encountered in digital forensic examinations. Significantly, digital forensic software now allows examination of NTFS file attributes and properties including the ownership property. The paper outlines potential limitations regarding interpreting ownership findings, and suggests areas for further research. Overall, file ownership is seen as a potentially viable new digital forensic tool.

Keywords: Digital Forensic Examination, Media examination, File ownership, NTFS