Structural Analysis of Timestamp Change Tool for NTFS
Session
Information Systems and Security
Description
Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.
Keywords:
$STANADARD_INFORMATION Attribute\, $FILE_NAME Attribute, Timestamp Change Tool, NTFS Filesystem
Session Chair
Naim Preniqi
Session Co-Chair
Blerton Abazi
Proceedings Editor
Edmond Hajrizi
ISBN
978-9951-550-19-2
Location
Pristina, Kosovo
Start Date
26-10-2019 1:30 PM
End Date
26-10-2019 3:30 PM
DOI
10.33107/ubt-ic.2019.79
Recommended Citation
Cho, Gyu Sang, "Structural Analysis of Timestamp Change Tool for NTFS" (2019). UBT International Conference. 79.
https://knowledgecenter.ubt-uni.net/conference/2019/events/79
Structural Analysis of Timestamp Change Tool for NTFS
Pristina, Kosovo
Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.