Abstract Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping tools and data sanitization standards used’. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.

中文翻译：

---

去擦除：检测数据擦除痕迹以调查 NTFS 文件系统

摘要 数据擦除用于安全删除安全不需要的文件。然而，滥用数据擦除可能会破坏在数字取证调查中被破坏的证据。为了应对数据擦除的滥用，我们提出了一种基于NTFS交易特征和机器学习算法的反反取证方法。这种方法允许调查人员获得有关“哪些文件被擦除”和“使用哪些数据擦除工具和数据清理标准”的信息。在这项研究中，我们很好地识别了 NTFS 文件系统中的数据擦除痕迹。利用机器学习模型的效率，我们的方法有效地识别 NTFS 文件系统中已擦除的分区和文件，并识别用于数据清理的工具。