Sakarya University Journal of Computer and Information Sciences
Yazarlar: Erhan AKBAL, Ömer Faruk YAKUT, Sengul DOGAN, Türker TUNCER, Fatih ERTAM
Konular:Bilgisayar Bilimleri, Sibernitik
DOI:10.35377/saucis...1022600
Anahtar Kelimeler:Digital forensics,Dos/mbr partition,Extended partition,Lost partition,Recovery partition,Anti-forensic
Özet: The development and widespread use of computer systems has increased the need for secure storage of data. At the same time, the analysis of digital data storage devices is very important for forensic IT professionals who aim to access information to clarify the crime. File systems of disk drives use partition structures to securely store data and prevent problems such as corruption. In this study, deletion or corruption of partitions on commonly used DOS / Master Boot Record (MBR) configured hard disk drives are investigated by using forensic tools. In order to analyze hard disk drives, Forensic Tool Kit (FTK), Magnet AXIOM, Encase, Autopsy and The Sleuth Kit (TSK), which are widely used as commercial and open source, are analyzed by using a presented scenario. In the scenario, the primary partition and the extended partition are created using the DOS / MBR partitioning structure on the test disk. Test files are added to the sections and the sections are deleted. The digital forensics tools were tested on the presented scenario. According to the obtained results, TSK and Encase are successful tools for DOS / MBR structured HDD analysis. However, FTK, Magnet AXIOM and Autopsy could not achieve information detection on DOS/MBR structured disks. These results clearly demonstrated that crime data can be hidden in MBR structured HDD. To carve these data, the correct methodology should be selected.