Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives (일반 B-트리와 NTFS B-트리의 비교: 디지털포렌식 관점에서)

Cho Gyu Sang (조규상)

doi:10.9708/jksci.2017.22.08.073

Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2017, 22(8), pp.73-83
DOI : 10.9708/jksci.2017.22.08.073
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science
Received : August 3, 2017
Accepted : August 14, 2017
Published : August 31, 2017

Cho Gyu Sang ¹

¹동양대학교

Accredited

ABSTRACT

In this paper, we discuss the differences between an ordinary B-tree and B-tree implemented by NTFS. There are lots of distinctions between the two B-tree, if not understand the distinctions fully, it is difficult to utilize and analyze artifacts of NTFS. Not much, actually, is known about the implementation of NTFS, especially B-tree index for directory management. Several items of B-tree features are performed that includes a node size, minimum number of children, root node without children, type of key, key sorting, type of pointer to child node, expansion and reduction of node, return of node. Furthermore, it is emphasized the fact that NTFS use B-tree structure not B+structure clearly.

KEYWORDS

B-tree, B+tree, NTFS filesystem, Directory index, Digital forensics

Citation status

* References for papers published after 2023 are currently being built.

[confproc] Jun Huang / 2012 / The Research of Fast File Destruction Based on NTFS / ECICE 2012, AISC 146 : 613~619

[book] Ellis Horowitz / 2007 / Fundamentals of Data Structures in C++ / Silicon Press

[web] Wikipedia / B+ tree / https://en.wikipedia.org/wiki/B+tree

[book] Dominic Giampaolo / 1999 / Practical File System Design: The Be File System / Morgan Kaufmann Publishers, Inc : 40~44

[web] M. Russinovich / Inside Win2K NTFS, Part 1 / MSDN. Microsoft

[web] William Ballenthin / NTFS INDX Attribute Parsing / http://www.williballenthin.com/forensics/indx/index.html

[web] Chad Tilbury / NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files / SANS Digital Forensics and Incident Response Blog / http://digital-forensics.sans.org

[web] William Ballenthin / Incident Response with NTFS INDX Buffers - Parts 1, 2, 3 and 4 / https://www.mandiant.com/blog/author/willi-ballenthin/

[confproc] Gyu-Sang Cho / 2015 / NTFS Directory Index Analysis for Computer Forensics / Proceedings of IMIS 2015 : 441~446

[journal] 조규상 / 2015 / A New NTFS Anti-Forensic Technique for NTFS Index Entry / 한국정보전자통신기술학회 논문지 / 한국정보전자통신기술학회 8(4) : 327~337

[journal] 조규상 / 2015 / An Anti-Forensic Technique for Hiding Data in NTFS Index Record with a Unicode Transformation / 융합보안 논문지 / 한국융합보안학회 15(7) : 75~84

[journal] 조규상 / 2015 / A Digital Forensic Analysis for Directory in Windows File System / (사)디지털산업정보학회 논문지 / (사)디지털산업정보학회 11(2) : 73~90

[web] Wikipedia / B-tree / http://en.wikipedia.org/wiki/B-tree

[web] Microsoft TechNet / How NTFS Works / https://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx

[web] Wikipedia / NTFS / http://en.wikipedia.org/wiki/NTFS

[book] B. Carrier / 2005 / File System Forensic Analysis / Addison -Wesley : 273~396

[report] Wicher Minnaard / 2014 / Timestomping NTFS, IMSc final research project report / University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science

[journal] Wasim Ahmad Bhat / 2011 / A Quick Review of On-Disk Layout of Some Popular Disk File Systems / Global Journal of Computer Science & Technology 11(Issue 1)

[confproc] Petra Grd / 2010 / Analysis of B-tree data structure and its usage in computer forensics / Proc. of the 21st Central European Conf. on Information and Intelligent Systems : 423~428

[web] Microsoft Technet / Fsutil behavior / https://technet.microsoft.com/en-us/library/cc785435(v=ws.11).aspx

This paper was written with support from the National Research Foundation of Korea.

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (1)

REFERENCES (20) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.