Tracking File´s Metadata from Computer Memory Analysis

With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open files from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object´s open files can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory. The algorithm will be independent of address translation algorithm and able to capture the information from various file´s extension, not limited to .EXE and .DLL.