Reconstructing Timelines: From NTFS Timestamps to File Histories

被引：1

作者：

Bouma, Jelle ^{[1
]}

Jonker, Hugo ^{[1
]}

van der Meer, Vincent ^{[2
]}

van den Aker, Eddy ^{[2
]}

机构：

[1] Open Univ Netherlands, Heerlen, Netherlands

[2] Zuyd Univ Appl Sci, Heerlen, Netherlands

来源：

18TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY & SECURITY, ARES 2023 | 2023年

关键词：

Digital forensics; Timestamps; File history; Timelines;

D O I：

10.1145/3600160.3605027

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

File history facilitates the creation of a timeline of attributed events, which is crucial in digital forensics. Timestamps play an important role for determining what happened to a file. Previous studies into leveraging timestamps to determine file history focused on identification of the last operation applied to a file. In contrast, in this paper, we determine all possible file histories given a file's current NTFS timestamps. That is, we infer all possible sequences of file system operations which culminate in the file's current NTFS timestamps. This results in a tree of timelines, with root node the current file state. Our method accounts for various forms of timestamp forgery. We provide an implementation of this method that depicts possible histories graphically.

引用

页数：20

共 50 条

[21] Invisible Bicycle: Parallel Histories and Different Timelines
Smethurst, Paul
TECHNOLOGY AND CULTURE, 2020, 61 (01) : 360 - 362
[22] CREATING A MAP OF USER DATA IN NTFS TO IMPROVE FILE CARVING
Karresand, Martin
Warnqvist, Asalena
Lindahl, David
Axelsson, Stefan
Dyrkolbotn, Geir Olav
ADVANCES IN DIGITAL FORENSICS XV, 2019, 569 : 133 - 158
[23] Computer Forensics Research and Implementation Based on NTFS File System
Liu Naiqi
Wang Zhongshan
Hao Yujie
QinKe
2008 ISECS INTERNATIONAL COLLOQUIUM ON COMPUTING, COMMUNICATION, CONTROL, AND MANAGEMENT, VOL 1, PROCEEDINGS, 2008, : 519 - +
[24] Research on NTFS File Anti-Delete Forensic Technology
Wu, Weimin
Zhao, Gang
Lai, Wenxin
Lan, Jiongjiang
PROCEEDINGS OF THE 2016 2ND WORKSHOP ON ADVANCED RESEARCH AND TECHNOLOGY IN INDUSTRY APPLICATIONS, 2016, 81 : 419 - 422
[25] ReconBin: Reconstructing Binary File from Execution for Software Analysis
Ying, Lingyun
Su, Purui
Feng, Dengguo
Wang, Xianggen
Yang, Yi
Liu, Yu
2009 THIRD IEEE INTERNATIONAL CONFERENCE ON SECURE SOFTWARE INTEGRATION AND RELIABILITY IMPROVEMENT, PROCEEDINGS, 2009, : 222 - 229
[26] Mount SMB.pcap: Reconstructing file systems and file operations from network traffic
Hilgert, Jan-Niclas
Mahr, Axel
Lambertz, Martin
FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION, 2024, 50
[27] RECONSTRUCTING CHILDHOOD HEALTH HISTORIES
Smith, James P.
DEMOGRAPHY, 2009, 46 (02) : 387 - 403
[28] NTFS Data Tracker: Tracking file data history based on $LogFile
Oh, Junghoon
Lee, Sangjin
Hwang, Hyunuk
FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION, 2021, 39 (39):
[29] File Recovery Method in NTFS-Based Damaged RAID System
Choi, Jong-Hyun
Lee, Sangjin
HUMAN-CENTRIC COMPUTING AND INFORMATION SCIENCES, 2022, 12
[30] Using the object ID index as an investigative approach for NTFS file systems
Nordvik, Rune
Toolan, Fergus
Axelsson, Stefan
DIGITAL INVESTIGATION, 2019, 28 : S30 - S39

← 1 2 3 4 5 →