Forensic Entropy Analysis of Microsoft Windows Storage Volumes. / Weston, Peter; Wolthusen, Stephen D.

In: SAIEE Africa Research Journal, Vol. 105, No. 2, 2014, p. 21.

Research output: Contribution to journalArticle

Published

Standard

Forensic Entropy Analysis of Microsoft Windows Storage Volumes. / Weston, Peter; Wolthusen, Stephen D.

In: SAIEE Africa Research Journal, Vol. 105, No. 2, 2014, p. 21.

Research output: Contribution to journalArticle

Harvard

APA

Vancouver

Weston P, Wolthusen SD. Forensic Entropy Analysis of Microsoft Windows Storage Volumes. SAIEE Africa Research Journal. 2014;105(2):21.

Author

Weston, Peter ; Wolthusen, Stephen D. / Forensic Entropy Analysis of Microsoft Windows Storage Volumes. In: SAIEE Africa Research Journal. 2014 ; Vol. 105, No. 2. pp. 21.

BibTeX

@article{aaaf1787b33d4c499a47d3dda0f90531,
title = "Forensic Entropy Analysis of Microsoft Windows Storage Volumes",
abstract = "The use of file or volume encryption as a counter-forensic technique depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is highly desirable for forensic investigations. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics using knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined severalversions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly we verified the hypothesis that the ageing through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained and tests devised allow the rapid identification of several volume-level operations and alsodetect anomalous slack space entropy indicative of the use of encryption techniques.",
author = "Peter Weston and Wolthusen, {Stephen D.}",
year = "2014",
language = "English",
volume = "105",
pages = "21",
journal = "SAIEE Africa Research Journal",
issn = "1991-1696",
number = "2",

}

RIS

TY - JOUR

T1 - Forensic Entropy Analysis of Microsoft Windows Storage Volumes

AU - Weston, Peter

AU - Wolthusen, Stephen D.

PY - 2014

Y1 - 2014

N2 - The use of file or volume encryption as a counter-forensic technique depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is highly desirable for forensic investigations. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics using knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined severalversions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly we verified the hypothesis that the ageing through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained and tests devised allow the rapid identification of several volume-level operations and alsodetect anomalous slack space entropy indicative of the use of encryption techniques.

AB - The use of file or volume encryption as a counter-forensic technique depends on the ability to plausibly deny the presence of such encrypted data. Establishing the likely presence of encrypted data is highly desirable for forensic investigations. We claim that the current or previous existence of encrypted volumes can be derived from studying file and volume entropy characteristics using knowledge of the development of volume entropy over time. To validate our hypothesis, we have examined severalversions of the Microsoft Windows operating system platform over a simulated installation life-cycle and established file and volume entropy metrics. Similarly we verified the hypothesis that the ageing through regular use of an installation is identifiable through entropy fingerprint analysis. The results obtained and tests devised allow the rapid identification of several volume-level operations and alsodetect anomalous slack space entropy indicative of the use of encryption techniques.

M3 - Article

VL - 105

SP - 21

JO - SAIEE Africa Research Journal

JF - SAIEE Africa Research Journal

SN - 1991-1696

IS - 2

ER -