Journal of Forensic Toxicology & PharmacologyISSN: 2325-9841

All submissions of the EM system will be redirected to Online Manuscript Submission System. Authors are requested to submit articles directly to Online Manuscript Submission System of respective journal.

Determining removal of forensic artefacts using the USN change journal

Christopher John Lees

Greater Manchester Police, UK

: Forensic Toxicol Pharmacol 2015, 4:4

Abstract

Programs which remove forensic artefacts can be a hindrance to forensics investigators and proving their use can often be difficult as can the use of “private browsing” modes available in many Internet browsers. In this paper we examine the ways in which the Update Sequence Number (USN) journal file can be used to show signs that such software or modes of operation have been used. The USN journal provides, when NTFS journaling is enabled, a list of transactions relating to files on the volume. This includes a list of all file creations, renames and deletions. By examining this journal after the use of common programs designed to remove artefacts or prevent artefacts from being created, we can see that there are patterns within the journals which can be used to detect such activity. Specifically references to the creation of or access to prefetch files for the Internet Explorer browser and large numbers deletions are consistent with In private browsing being used. The use of the CCleaner software also creates distinctive patterns within the USN journal.

Biography

chrislees2k6@o2.co.uk

PDF

Download

Track Your Manuscript

Explore SciTechnol

Awards Nomination

Google Scholar citation report

Citations : 577

Journal of Forensic Toxicology & Pharmacology received 577 citations as per Google Scholar report

Citation image
Journal of Forensic Toxicology & Pharmacology peer review process verified at publons
Citation image

Journal Highlights

GET THE APP