원문정보
초록
영어
In this paper, we propose a method of reconstructing the file system to obtain digital forensics information from the APFS file system when meta information that can know the structure of the file system is deleted due to partial damage to the disk. This method is to reconstruct the tree structure of the file system by only retrieving the B-tree node where file/directory information is stored. This method is not a method of constructing nodes based on structural information such as Container Superblock (NXSB) and Volume Checkpoint Superblock (APSB), and B-tree root and leaf node information. The entire disk cluster is traversed to find scattered B-tree leaf nodes and to gather all the information in the file system to build information. It is a method of reconstructing a tree structure of a file/directory based on refined essential data by removing duplicate data. We demonstrate that the proposed method is valid through the results of applying the proposed method by generating numbers of user files and directories.
목차
1. Introduction
2. Structures of APFS Filesystem Objects
2.1 APFS Overall Configuration
2.2 Record Type Related File and Directory Information
3. A File/Directory Reconstruction Method of APFS Filesystem
3.1 Overview
3.2 Step 1: B-Tree Leaf Looking-Up
3.3 Step 2: B-Tree Leaf Parsing
3.4 Step 3: Data Refining
3.5 Step 4: Reporting
4. Experimental Results
4.1 Development Environments
4.2 Experiment of APFS File/Directory Reconstruction
5. Conclusions
References