{"id":"https://openalex.org/W2026552140","doi":"https://doi.org/10.1109/issa.2013.6641056","title":"Forensic entropy analysis of microsoft windows storage volumes","display_name":"Forensic entropy analysis of microsoft windows storage volumes","publication_year":2013,"publication_date":"2013-08-01","ids":{"openalex":"https://openalex.org/W2026552140","doi":"https://doi.org/10.1109/issa.2013.6641056","mag":"2026552140"},"language":"en","primary_location":{"id":"doi:10.1109/issa.2013.6641056","is_oa":false,"landing_page_url":"https://doi.org/10.1109/issa.2013.6641056","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2013 Information Security for South Africa","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Peter Weston","orcid":null},"institutions":[{"id":"https://openalex.org/I124357947","display_name":"University of London","ror":"https://ror.org/04cw6st05","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Peter Weston","raw_affiliation_strings":["Information Security Group, University of London, Egham, Surrey, UK","Inf. Security Group, Univ. of London, Egham, UK#TAB#"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Security Group, University of London, Egham, Surrey, UK","institution_ids":["https://openalex.org/I124357947"]},{"raw_affiliation_string":"Inf. Security Group, Univ. of London, Egham, UK#TAB#","institution_ids":["https://openalex.org/I124357947"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5013455841","display_name":"Stephen D. Wolthusen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Stephen D. Wolthusen","raw_affiliation_strings":["Hogskolen i Gjovik, Gjovik, Oppland, NO","Norwegian Information Security Laboratories, Gj\u00f8vik University College, Gj\u00f8vik, Norway#TAB#"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Hogskolen i Gjovik, Gjovik, Oppland, NO","institution_ids":[]},{"raw_affiliation_string":"Norwegian Information Security Laboratories, Gj\u00f8vik University College, Gj\u00f8vik, Norway#TAB#","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.6724,"has_fulltext":false,"cited_by_count":2,"citation_normalized_percentile":{"value":0.88389862,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":96},"biblio":{"volume":"5075","issue":null,"first_page":"1","last_page":"7"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12357","display_name":"Digital Media Forensic Detection","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9980999827384949,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7267062067985535},{"id":"https://openalex.org/keywords/entropy","display_name":"Entropy (arrow of time)","score":0.6138082146644592},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.6083977222442627},{"id":"https://openalex.org/keywords/digital-forensics","display_name":"Digital forensics","score":0.5267952084541321},{"id":"https://openalex.org/keywords/randomness","display_name":"Randomness","score":0.4820721745491028},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.4622907340526581},{"id":"https://openalex.org/keywords/copying","display_name":"Copying","score":0.45595884323120117},{"id":"https://openalex.org/keywords/volume","display_name":"Volume (thermodynamics)","score":0.43694016337394714},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.3531510829925537},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.1770939826965332},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.1699143946170807},{"id":"https://openalex.org/keywords/statistics","display_name":"Statistics","score":0.14377158880233765}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7267062067985535},{"id":"https://openalex.org/C106301342","wikidata":"https://www.wikidata.org/wiki/Q4117933","display_name":"Entropy (arrow of time)","level":2,"score":0.6138082146644592},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.6083977222442627},{"id":"https://openalex.org/C84418412","wikidata":"https://www.wikidata.org/wiki/Q3246940","display_name":"Digital forensics","level":2,"score":0.5267952084541321},{"id":"https://openalex.org/C125112378","wikidata":"https://www.wikidata.org/wiki/Q176640","display_name":"Randomness","level":2,"score":0.4820721745491028},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4622907340526581},{"id":"https://openalex.org/C2779151265","wikidata":"https://www.wikidata.org/wiki/Q1156791","display_name":"Copying","level":2,"score":0.45595884323120117},{"id":"https://openalex.org/C20556612","wikidata":"https://www.wikidata.org/wiki/Q4469374","display_name":"Volume (thermodynamics)","level":2,"score":0.43694016337394714},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3531510829925537},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.1770939826965332},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.1699143946170807},{"id":"https://openalex.org/C105795698","wikidata":"https://www.wikidata.org/wiki/Q12483","display_name":"Statistics","level":1,"score":0.14377158880233765},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/issa.2013.6641056","is_oa":false,"landing_page_url":"https://doi.org/10.1109/issa.2013.6641056","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2013 Information Security for South Africa","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Responsible consumption and production","id":"https://metadata.un.org/sdg/12","score":0.46000000834465027}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":39,"referenced_works":["https://openalex.org/W4352779","https://openalex.org/W134076915","https://openalex.org/W139030970","https://openalex.org/W608085605","https://openalex.org/W1577231857","https://openalex.org/W1750292977","https://openalex.org/W1859950511","https://openalex.org/W1929436232","https://openalex.org/W1970887064","https://openalex.org/W1971505546","https://openalex.org/W1985972324","https://openalex.org/W1989007169","https://openalex.org/W2019239374","https://openalex.org/W2024171325","https://openalex.org/W2049076353","https://openalex.org/W2069028274","https://openalex.org/W2096493624","https://openalex.org/W2097726984","https://openalex.org/W2101347959","https://openalex.org/W2104529203","https://openalex.org/W2107745473","https://openalex.org/W2112437856","https://openalex.org/W2116773818","https://openalex.org/W2117649838","https://openalex.org/W2122031263","https://openalex.org/W2122956713","https://openalex.org/W2127619106","https://openalex.org/W2131202906","https://openalex.org/W2141040970","https://openalex.org/W2143421017","https://openalex.org/W2150423842","https://openalex.org/W2151958475","https://openalex.org/W2169369860","https://openalex.org/W2741914005","https://openalex.org/W4388658022","https://openalex.org/W6605710230","https://openalex.org/W6637686179","https://openalex.org/W6640328985","https://openalex.org/W6656779674"],"related_works":["https://openalex.org/W4308771405","https://openalex.org/W2355873265","https://openalex.org/W2963669501","https://openalex.org/W3080197661","https://openalex.org/W4318471783","https://openalex.org/W2760667490","https://openalex.org/W2991781269","https://openalex.org/W3035605494","https://openalex.org/W2951756867","https://openalex.org/W4299420056"],"abstract_inverted_index":{"The":[0,174],"use":[1,164,200],"of":[2,26,34,85,98,114,117,131,165,181,198,201,218],"file":[3,106,145],"or":[4,95],"volume":[5,62,108,118,147],"encryption":[6,202],"as":[7,74,79,226],"a":[8,61,139],"counter-forensic":[9],"technique,":[10],"particularly":[11,44],"when":[12],"combined":[13],"with":[14,71],"stegano-graphic":[15],"mechanisms,":[16,154],"depends":[17],"on":[18,112],"the":[19,24,31,93,115,132,152,157,160,178,199,216],"ability":[20],"to":[21,58,191],"plausibly":[22],"deny":[23],"presence":[25,33],"such":[27,78,225],"encrypted":[28,35,99,219],"data.":[29,229],"Establishing":[30],"likely":[32],"data":[36,73,220,224],"is":[37,168],"hence":[38],"highly":[39],"desirable":[40],"for":[41,215],"forensic":[42,53],"investigations,":[43],"if":[45],"an":[46,166],"automated":[47],"heuristic":[48],"can":[49,101],"be":[50,56,88,102],"devised.":[51],"Similarly,":[52,150,204],"analysts":[54],"must":[55],"able":[57],"identify":[59],"whether":[60],"has":[63],"been":[64,210],"sanitised":[65],"by":[66],"re-installation":[67],"and":[68,83,107,143,146,187,206],"subsequent":[69],"re-population":[70],"user":[72],"otherwise":[75],"significant":[76],"information":[77],"slack":[80,194],"space":[81,195],"contents":[82],"files":[84],"interest":[86],"will":[87],"unavailable.":[89],"We":[90],"claim":[91],"that":[92,159],"current":[94],"previous":[96],"existence":[97],"volumes":[100],"derived":[103],"from":[104,221],"studying":[105],"entropy":[109,119,148,171,196,205],"characteristics":[110],"based":[111],"knowledge":[113],"development":[116],"over":[120,138],"time.":[121],"To":[122],"validate":[123],"our":[124],"hypothesis,":[125],"we":[126,155],"have":[127,209],"examined":[128],"several":[129,182],"versions":[130],"Microsoft":[133],"Windows":[134],"operating":[135],"system":[136],"platform":[137],"simulated":[140],"installation":[141,167],"life-cycle":[142],"established":[144],"metrics.":[149],"using":[151],"same":[153],"verified":[156],"hypothesis":[158],"aging":[161],"through":[162,170],"regular":[163],"identifiable":[169],"fingerprint":[172],"analysis.":[173],"results":[175],"obtained":[176],"allow":[177],"rapid":[179],"identification":[180],"volume-level":[183],"operations":[184],"including":[185],"copying":[186],"wiping,":[188],"but":[189],"also":[190],"detect":[192],"anomalous":[193],"indicative":[197],"techniques.":[203],"randomness":[207],"tests":[208],"devised":[211],"which":[212],"provide":[213],"heuristics":[214],"differentiation":[217],"other":[222],"high-entropy":[223],"compressed":[227],"media":[228]},"counts_by_year":[{"year":2015,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}