Christopher John Lees
Greater Manchester Police, UK
Posters-Accepted Abstracts: J Forensic Res
Programs which remove forensic artefacts can be a hindrance to forensics investigators and proving their use can often be difficult as can the use of ?¢????private browsing?¢??? modes available in many Internet browsers. In this paper we examine the ways in which the Update Sequence Number (USN) journal file can be used to show signs that such software or modes of operation have been used. The USN journal provides, when NTFS journaling is enabled, a list of transactions relating to files on the volume. This includes a list of all file creations, renames and deletions. By examining this journal after the use of common programs designed to remove artefacts or prevent artefacts from being created, we can see that there are patterns within the journals which can be used to detect such activity. Specifically references to the creation of or access to prefetch files for the Internet Explorer browser and large numbers deletions are consistent with In private browsing being used. The use of the CCleaner software also creates distinctive patterns within the USN journal.
Email: chrislees2k6@o2.co.uk
Journal of Forensic Research received 1817 citations as per Google Scholar report
Spanish 
Chinese 
Russian 
German 
French 
Japanese 
Portuguese 
Hindi 