The Experts below are selected from a list of 9 Experts worldwide ranked by ideXlab platform
Howard Chivers - One of the best experts on this subject based on the ideXlab platform.
-
Private browsing: A window of forensic opportunity
Digital Investigation, 2014Co-Authors: Howard ChiversAbstract:Abstract The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.
Chivers, Howard Robert - One of the best experts on this subject based on the ideXlab platform.
-
Navigating the Windows Mail database
'Elsevier BV', 2018Co-Authors: Chivers, Howard RobertAbstract:The Extensible Storage Engine (ESE) database is used to support many forensically important applications in the Windows operating system, and a study of how ESE is used in one application provides wider insights into data Storage in other current and future applications. In Windows 10, WindowsMail uses an ESE database to store messages, appointments and related data; however, field (column) names used to identify these records are hexadecimal property tags, many of which are undocumented. To support forensic analysis a series of experiments were carried out to identify the function of these tags, and this work resulted in a body of related information about the Mail application. This paper documents property tags that have been mapped, and presents how Windows Mail artifacts recovered from the ESE store.vol database can be interpreted, including how the paths of files recorded by the Mail system are derived from database records. We also present examples that illustrate forensic issues in the interpretation of email messages and appointment records, and show how additional information can be obtained by associating these records with other information in the ESE database
Sangjin Lee - One of the best experts on this subject based on the ideXlab platform.
-
recovery method of deleted records and tables from ese database
Digital Investigation, 2016Co-Authors: Jeonghyeon Kim, Aran Park, Sangjin LeeAbstract:The Extensible Storage Engine (ESE) database is a data Storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.
Jeonghyeon Kim - One of the best experts on this subject based on the ideXlab platform.
-
recovery method of deleted records and tables from ese database
Digital Investigation, 2016Co-Authors: Jeonghyeon Kim, Aran Park, Sangjin LeeAbstract:The Extensible Storage Engine (ESE) database is a data Storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.
Aran Park - One of the best experts on this subject based on the ideXlab platform.
-
recovery method of deleted records and tables from ese database
Digital Investigation, 2016Co-Authors: Jeonghyeon Kim, Aran Park, Sangjin LeeAbstract:The Extensible Storage Engine (ESE) database is a data Storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.
