Media analyses based on Microsoft NTFS file ownership

1
Media analyses based on Microsoft NTFS file
ownership

• Writer Fred C. Kerr
• Information Systems Management, Applied
  Management and Decision Sciences, Walden
  university, USA
• Presentation Forensic Science International,
  28. July. 2006
• Reporter Sparker

2
Introduction

• The object ownership property of files and
  folders within NTFS is an yet little-used method
  to profile computer users via allocated files and
  folders that they own.
• Major challenges faced by the digital
  investigators are the rapid growth of media size,
  number of computer systems, and the amount of
  information stored.

3
The paradox of digital crime

• Commit a digital crime versus investigate a
  digital crime.
• Digital crime is easy to commit, while detecting
  and investigating them is quite difficult.
• An improved methodology is more efficient and
  effective than increasing the numbers of digital
  forensic examiners.

4
The need for a Big-Picture view of digital media

• The size of digital media has grown so large it
  si often difficult to digest.
• The military had an immediate tactical need for
  information, a quick view of the media designed
  to optimize collection of mission-essential
  evidence, this is called battle damage
  assessment.

5
Digital fingerprint

• The NTFS adds security measures which are based
  upon the concept of ownershipof files and
  folders on computer system.
• Every object in NTFS has an owner, by default,
  an objects creator is its owner and establishes
  and regulates an objects security permission.
• Each authorized user in the NTFS file system is
  represented by a unique security identifier (SID)
  number.

6
Methodology

• General
• Platforms
• Examination

7
Results

• This is the first system to portray file and
  folders information in an overall big-picture
  view of one or more entire hard drives.
• A series of crosstab reports were created in the
  database displaying files and folders that were
  owned by particular user SIDs.

8
Results (contd.)

• These profiles first grouped file extensions into
  arbitrary classification (compressed, e-mail,
  executable, graphics, Internet, logs, office, and
  shortcuts)
• From this big-picture view, a second level was
  created (a drill-down display) to show more
  detail by user SID depicting the specific numbers
  of files by extension making up the initial
  groupings.
• An additional level of drill-down was created to
  display specific file information (file names,
  full path, etc.) for any specific extension of
  interest.

9
Potential limitations

• Examination using owner SID are not panacea, but
  they do provide an additional tool for the
  digital forensic examiner.
• There are two potential limitations associated
  with using owner SID as a profiling technique.
• The first is that it pertains to allocated files
  only.
• The second is that it is possible to change the
  owner SID.

10
Potential forensic uses

• Correlation of logged-on user SID with
  files/folders owned by that SID could aid in
  reconstruction of activities within a specified
  timeline.
• Such a timeline could incorporate the SID-based
  entries found in the Windows Event Logs as well.

11
Conclusions and further research

• In terms of pre-examination screening of media,
  profiling user activity via owner SIDs on a
  computer system provide potential value to a
  digital investigator.
• Profiling concepts might be extended to another
  system such as UNIX and LINUX.