Reconstructing Timelines: From NTFS Timestamps to File Histories

被引：1

作者：

Bouma, Jelle ^{[1
]}

Jonker, Hugo ^{[1
]}

van der Meer, Vincent ^{[2
]}

van den Aker, Eddy ^{[2
]}

机构：

[1] Open Univ Netherlands, Heerlen, Netherlands

[2] Zuyd Univ Appl Sci, Heerlen, Netherlands

来源：

18TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY & SECURITY, ARES 2023 | 2023年

关键词：

Digital forensics; Timestamps; File history; Timelines;

D O I：

10.1145/3600160.3605027

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

File history facilitates the creation of a timeline of attributed events, which is crucial in digital forensics. Timestamps play an important role for determining what happened to a file. Previous studies into leveraging timestamps to determine file history focused on identification of the last operation applied to a file. In contrast, in this paper, we determine all possible file histories given a file's current NTFS timestamps. That is, we infer all possible sequences of file system operations which culminate in the file's current NTFS timestamps. This results in a tree of timelines, with root node the current file state. Our method accounts for various forms of timestamp forgery. We provide an implementation of this method that depicts possible histories graphically.

引用

页数：20

共 50 条

[1] Time for Truth: Forensic Analysis of NTFS Timestamps
Galhuber, Michael
Luh, Robert
ARES 2021: 16TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY, 2021,
[2] Timelines on file
Tallent, E
LIBRARY JOURNAL, 2000, 125 (19) : 107 - 107
[3] Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS
Neuner, Sebastian
Voyiatzis, Artemios G.
Schmiedecker, Martin
Weippl, Edgar R.
PROCEEDINGS OF THE 12TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 2017), 2017,
[4] Detection of Timestamps Tampering in NTFS using Machine Learning
Mohamed, Alji
Khalid, Chougdali
10TH INT CONF ON EMERGING UBIQUITOUS SYST AND PERVAS NETWORKS (EUSPN-2019) / THE 9TH INT CONF ON CURRENT AND FUTURE TRENDS OF INFORMAT AND COMMUN TECHNOLOGIES IN HEALTHCARE (ICTH-2019) / AFFILIATED WORKOPS, 2019, 160 : 778 - 784
[5] A Method of Traceless File Deletion for NTFS File System
Xu, Shujiang
Wang, Fansheng
Wang, Lianhai
Chang, Xu
Yang, Tongfeng
Yang, Weijun
CYBERSPACE SAFETY AND SECURITY, CSS 2022, 2022, 13547 : 109 - 117
[6] File Timestamps for Digital Cloud Investigations
Thorpe, Sean
Ray, Indrajit
JOURNAL OF INFORMATION ASSURANCE AND SECURITY, 2011, 6 (06): : 495 - 502
[7] Data hiding in the NTFS file system
Huebner, Ewa
Bem, Derek
Wee, Cheong Kai
DIGITAL INVESTIGATION, 2006, 3 (04) : 211 - 226
[8] A contemporary investigation of NTFS file fragmentation
van der Meer, Vincent
Jonker, Hugo
van den Bos, Jeroen
FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION, 2021, 38
[9] The rules of time on NTFS file system
Chow, K. P.
Law, Frank Y. W.
Kwan, Michael Y. K.
Lai, Pierre K. Y.
SADFE 2007: SECOND INTERNATIONAL WORKSHOP ON SYSTEMATIC APPROACHES TO DIGITAL FORENSIC ENGINEERING, PROCEEDINGS, 2007, : 71 - 85
[10] The Research of Fast File Destruction Based on NTFS
Huang, Jun
Wu, Shunxiang
EMERGING COMPUTATION AND INFORMATION TECHNOLOGIES FOR EDUCATION, 2012, 146 : 613 - 619

← 1 2 3 4 5 →