PAREX: A Novel exFAT Parser for File System Forensics

Gaurav Gogia; Parag Rughani

doi:10.13053/cys-28-2-4804

PAREX: A Novel exFAT Parser for File System Forensics

Authors

Gaurav Gogia National Forensic Sciences University
Parag Rughani National Forensic Sciences University

DOI:

https://doi.org/10.13053/cys-28-2-4804

Keywords:

Exfat, Parsers, File system forensics, Digital forensics

Abstract

File systems, being one of the core components of any computational device, contain the most important information which makes them pivotal to any digital forensics investigation. However, file system parsing is a complex process. Existing file system forensic software are capable of processing large datasets but often at the cost of either performance or resource utilisation. Slow evidence processing has a direct impact on investigation time, while higher resource requirements have a monetary impact. Digital Forensics labs are often on a constrained budget in terms of both time and money. So, they often need to define priorities on a case-by-case basis. Another major concern for forensic investigators is correctness. Tools that suffer from memory management issues may generate inconsistent reports or worse yet, increase overall attack surface for malware that may pollute investigator's workstation. This research proposes a novel open-source exFAT file system parsing library. It has been validated against the current open-source state-of-the-art: The Sleuth Kit (TSK), on a dataset of disk images ranging from 1MiB to 1TiB. Experimental results indicate that the proposed tool is 40 times faster and 17 times more memory efficient than TSK.

Downloads

Published

2024-06-12

Issue

Vol. 28 No. 2 (2024): 28(2) 2024

Section

Articles

License

Hereby I transfer exclusively to the Journal "Computación y

Sistemas", published by the Computing Research Center (CIC-IPN),

the Copyright of the aforementioned paper. I also accept that these

rights will not be transferred to any other publication, in any other

format, language or other existing means of developing.

I certify that the paper has not been previously disclosed or simultaneo

usly submitted to any other publication, and that it does not contain

material whose publication would violate the Copyright or other

proprietary rights of any person, company or institution. I certify that

I have the permission from the institution or company where I work or

study to publish this work.

The representative author accepts the responsibility for the publication

of this paper on behalf of each and every one of the authors.

This transfer is subject to the following conditions:

The authors retain all ownership rights (such as patent rights) of this work, except for the publishing rights transferred to the CIC, through this document.
Authors retain the right to publish the work in whole or in part in any book they are the authors or publishers. They can also make use of this work in conferences, courses, personal web pages, and so on.
Authors may include working as part of his thesis, for non-profit distribution only.