A computer forensic method for detecting timestamp forgery in NTFS

A computer forensic method for detecting timestamp forgery in NTFS

In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we can find the past timestamps before any changes t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2013-05, Vol.34, p.36-46
1. Verfasser: Cho, Gyu-Sang
Format: Artikel
Sprache:eng
Schlagworte:
Applied sciences
Computer forensics
Computer information security
Computer science
control theory
systems
Computer systems and distributed systems. User interface
Evidence
Exact sciences and technology
Files management
Forensic engineering
Forgery
Internet
Leaves
LogFile
Memory and file management (including protection and security)
Memory organisation. Data processing
NTFS
Patterns of file time change
Software
Studies
Timestamp forgery
Windows (computer programs)
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 46
container_issue
container_start_page 36
container_title Computers & security
container_volume 34
creator Cho, Gyu-Sang
description In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we can find the past timestamps before any changes to the file are made, this can act as evidence of file time forgery. The log records operate on files and leave large amounts of information in the $LogFile that can be used to reconstruct operations on the files and also used as forensic evidence. Log record with 0x07/0x07 opcode in the data part of Redo/Undo attribute has timestamps which contain past-and-present timestamps. The past-and-present timestamps can be decisive evidence to indicate timestamp forgery, as they contain when and how the timestamps were changed. We used file time change tools that can easily be found on Internet sites. The patterns of the timestamp change created by the tools are different compared to those of normal file operations. Seven file operations have ten timestamp change patterns in total by features of timestamp changes in the $STANDARD_INFORMATION attribute and the $FILE_NAME attribute. We made rule sets for detecting timestamp forgery based on using difference comparison between changes in timestamp patterns by the file time change tool and normal file operations. We apply the forensic rule sets for “.txt”, “.docx” and “.pdf” file types, and we show the effectiveness and validity of the proposed method. The importance of this research lies in the fact that we can find the past time in $LogFile, which gives decisive evidence of timestamp forgery. This makes the timestamp active evidence as opposed to simply being passive evidence.
doi_str_mv 10.1016/j.cose.2012.11.003
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_1365153425</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404812001721</els_id><sourcerecordid>2924728021</sourcerecordid><originalsourceid>FETCH-LOGICAL-c391t-759b50d0d30df935bc8639ef631b58560ff0ecbb8de50542ab3fd7eca564cd643</originalsourceid><addsrcrecordid>eNp9kMGKFDEQhoMoOK6-gKcGEbx0W5V00mnwsi6uCoseXM8hnVTWDNOdMelZ2Lc3zSwePHgqqvjqr-Jj7DVCh4Dq_b5zqVDHAXmH2AGIJ2yHeuCt4qCfsl2FhraHXj9nL0rZA-CgtN6xj5eNS_PxtFJuQsq0lOiamdZfyW9942klt8blrlnjTGW183Gb31F-aOLSfLu9_vGSPQv2UOjVY71gP68_3V59aW--f_56dXnTOjHi2g5ynCR48AJ8GIWcnFZipKAETlJLBSEAuWnSniTInttJBD-Qs1L1zqteXLB359xjTr9P9Rczx-LocLALpVMxKJREKXouK_rmH3SfTnmp31UK9SiQiy2QnymXUymZgjnmONv8YBDMptXszabVbFoNoqla69Lbx2hbnD2EbBcXy99NPuA4DsAr9-HMUVVyHymb4iItjnzM1ajxKf7vzB_VRoyP</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1318931234</pqid></control><display><type>article</type><title>A computer forensic method for detecting timestamp forgery in NTFS</title><source>Elsevier ScienceDirect Journals</source><creator>Cho, Gyu-Sang</creator><creatorcontrib>Cho, Gyu-Sang</creatorcontrib><description>In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we can find the past timestamps before any changes to the file are made, this can act as evidence of file time forgery. The log records operate on files and leave large amounts of information in the $LogFile that can be used to reconstruct operations on the files and also used as forensic evidence. Log record with 0x07/0x07 opcode in the data part of Redo/Undo attribute has timestamps which contain past-and-present timestamps. The past-and-present timestamps can be decisive evidence to indicate timestamp forgery, as they contain when and how the timestamps were changed. We used file time change tools that can easily be found on Internet sites. The patterns of the timestamp change created by the tools are different compared to those of normal file operations. Seven file operations have ten timestamp change patterns in total by features of timestamp changes in the $STANDARD_INFORMATION attribute and the $FILE_NAME attribute. We made rule sets for detecting timestamp forgery based on using difference comparison between changes in timestamp patterns by the file time change tool and normal file operations. We apply the forensic rule sets for “.txt”, “.docx” and “.pdf” file types, and we show the effectiveness and validity of the proposed method. The importance of this research lies in the fact that we can find the past time in $LogFile, which gives decisive evidence of timestamp forgery. This makes the timestamp active evidence as opposed to simply being passive evidence.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2012.11.003</identifier><identifier>CODEN: CPSEDU</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Applied sciences ; Computer forensics ; Computer information security ; Computer science; control theory; systems ; Computer systems and distributed systems. User interface ; Evidence ; Exact sciences and technology ; Files management ; Forensic engineering ; Forgery ; Internet ; Leaves ; LogFile ; Memory and file management (including protection and security) ; Memory organisation. Data processing ; NTFS ; Patterns of file time change ; Software ; Studies ; Timestamp forgery ; Windows (computer programs)</subject><ispartof>Computers &amp; security, 2013-05, Vol.34, p.36-46</ispartof><rights>2012 Elsevier Ltd</rights><rights>2014 INIST-CNRS</rights><rights>Copyright Elsevier Sequoia S.A. May 2013</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c391t-759b50d0d30df935bc8639ef631b58560ff0ecbb8de50542ab3fd7eca564cd643</citedby><cites>FETCH-LOGICAL-c391t-759b50d0d30df935bc8639ef631b58560ff0ecbb8de50542ab3fd7eca564cd643</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S0167404812001721$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,776,780,3537,27901,27902,65306</link.rule.ids><backlink>$$Uhttp://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&amp;idt=27199702$$DView record in Pascal Francis$$Hfree_for_read</backlink></links><search><creatorcontrib>Cho, Gyu-Sang</creatorcontrib><title>A computer forensic method for detecting timestamp forgery in NTFS</title><title>Computers &amp; security</title><description>In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we can find the past timestamps before any changes to the file are made, this can act as evidence of file time forgery. The log records operate on files and leave large amounts of information in the $LogFile that can be used to reconstruct operations on the files and also used as forensic evidence. Log record with 0x07/0x07 opcode in the data part of Redo/Undo attribute has timestamps which contain past-and-present timestamps. The past-and-present timestamps can be decisive evidence to indicate timestamp forgery, as they contain when and how the timestamps were changed. We used file time change tools that can easily be found on Internet sites. The patterns of the timestamp change created by the tools are different compared to those of normal file operations. Seven file operations have ten timestamp change patterns in total by features of timestamp changes in the $STANDARD_INFORMATION attribute and the $FILE_NAME attribute. We made rule sets for detecting timestamp forgery based on using difference comparison between changes in timestamp patterns by the file time change tool and normal file operations. We apply the forensic rule sets for “.txt”, “.docx” and “.pdf” file types, and we show the effectiveness and validity of the proposed method. The importance of this research lies in the fact that we can find the past time in $LogFile, which gives decisive evidence of timestamp forgery. This makes the timestamp active evidence as opposed to simply being passive evidence.</description><subject>Applied sciences</subject><subject>Computer forensics</subject><subject>Computer information security</subject><subject>Computer science; control theory; systems</subject><subject>Computer systems and distributed systems. User interface</subject><subject>Evidence</subject><subject>Exact sciences and technology</subject><subject>Files management</subject><subject>Forensic engineering</subject><subject>Forgery</subject><subject>Internet</subject><subject>Leaves</subject><subject>LogFile</subject><subject>Memory and file management (including protection and security)</subject><subject>Memory organisation. Data processing</subject><subject>NTFS</subject><subject>Patterns of file time change</subject><subject>Software</subject><subject>Studies</subject><subject>Timestamp forgery</subject><subject>Windows (computer programs)</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><recordid>eNp9kMGKFDEQhoMoOK6-gKcGEbx0W5V00mnwsi6uCoseXM8hnVTWDNOdMelZ2Lc3zSwePHgqqvjqr-Jj7DVCh4Dq_b5zqVDHAXmH2AGIJ2yHeuCt4qCfsl2FhraHXj9nL0rZA-CgtN6xj5eNS_PxtFJuQsq0lOiamdZfyW9942klt8blrlnjTGW183Gb31F-aOLSfLu9_vGSPQv2UOjVY71gP68_3V59aW--f_56dXnTOjHi2g5ynCR48AJ8GIWcnFZipKAETlJLBSEAuWnSniTInttJBD-Qs1L1zqteXLB359xjTr9P9Rczx-LocLALpVMxKJREKXouK_rmH3SfTnmp31UK9SiQiy2QnymXUymZgjnmONv8YBDMptXszabVbFoNoqla69Lbx2hbnD2EbBcXy99NPuA4DsAr9-HMUVVyHymb4iItjnzM1ajxKf7vzB_VRoyP</recordid><startdate>20130501</startdate><enddate>20130501</enddate><creator>Cho, Gyu-Sang</creator><general>Elsevier Ltd</general><general>Elsevier</general><general>Elsevier Sequoia S.A</general><scope>IQODW</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>20130501</creationdate><title>A computer forensic method for detecting timestamp forgery in NTFS</title><author>Cho, Gyu-Sang</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c391t-759b50d0d30df935bc8639ef631b58560ff0ecbb8de50542ab3fd7eca564cd643</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Applied sciences</topic><topic>Computer forensics</topic><topic>Computer information security</topic><topic>Computer science; control theory; systems</topic><topic>Computer systems and distributed systems. User interface</topic><topic>Evidence</topic><topic>Exact sciences and technology</topic><topic>Files management</topic><topic>Forensic engineering</topic><topic>Forgery</topic><topic>Internet</topic><topic>Leaves</topic><topic>LogFile</topic><topic>Memory and file management (including protection and security)</topic><topic>Memory organisation. Data processing</topic><topic>NTFS</topic><topic>Patterns of file time change</topic><topic>Software</topic><topic>Studies</topic><topic>Timestamp forgery</topic><topic>Windows (computer programs)</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Cho, Gyu-Sang</creatorcontrib><collection>Pascal-Francis</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers &amp; security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Cho, Gyu-Sang</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A computer forensic method for detecting timestamp forgery in NTFS</atitle><jtitle>Computers &amp; security</jtitle><date>2013-05-01</date><risdate>2013</risdate><volume>34</volume><spage>36</spage><epage>46</epage><pages>36-46</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><coden>CPSEDU</coden><abstract>In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we can find the past timestamps before any changes to the file are made, this can act as evidence of file time forgery. The log records operate on files and leave large amounts of information in the $LogFile that can be used to reconstruct operations on the files and also used as forensic evidence. Log record with 0x07/0x07 opcode in the data part of Redo/Undo attribute has timestamps which contain past-and-present timestamps. The past-and-present timestamps can be decisive evidence to indicate timestamp forgery, as they contain when and how the timestamps were changed. We used file time change tools that can easily be found on Internet sites. The patterns of the timestamp change created by the tools are different compared to those of normal file operations. Seven file operations have ten timestamp change patterns in total by features of timestamp changes in the $STANDARD_INFORMATION attribute and the $FILE_NAME attribute. We made rule sets for detecting timestamp forgery based on using difference comparison between changes in timestamp patterns by the file time change tool and normal file operations. We apply the forensic rule sets for “.txt”, “.docx” and “.pdf” file types, and we show the effectiveness and validity of the proposed method. The importance of this research lies in the fact that we can find the past time in $LogFile, which gives decisive evidence of timestamp forgery. This makes the timestamp active evidence as opposed to simply being passive evidence.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2012.11.003</doi><tpages>11</tpages></addata></record>
fulltext fulltext
identifier ISSN: 0167-4048
ispartof Computers & security, 2013-05, Vol.34, p.36-46
issn 0167-4048
1872-6208
language eng
recordid cdi_proquest_miscellaneous_1365153425
source Elsevier ScienceDirect Journals
subjects Applied sciences
Computer forensics
Computer information security
Computer science
control theory
systems
Computer systems and distributed systems. User interface
Evidence
Exact sciences and technology
Files management
Forensic engineering
Forgery
Internet
Leaves
LogFile
Memory and file management (including protection and security)
Memory organisation. Data processing
NTFS
Patterns of file time change
Software
Studies
Timestamp forgery
Windows (computer programs)
title A computer forensic method for detecting timestamp forgery in NTFS
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-01T15%3A04%3A57IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20computer%20forensic%20method%20for%20detecting%20timestamp%20forgery%20in%20NTFS&rft.jtitle=Computers%20&%20security&rft.au=Cho,%20Gyu-Sang&rft.date=2013-05-01&rft.volume=34&rft.spage=36&rft.epage=46&rft.pages=36-46&rft.issn=0167-4048&rft.eissn=1872-6208&rft.coden=CPSEDU&rft_id=info:doi/10.1016/j.cose.2012.11.003&rft_dat=%3Cproquest_cross%3E2924728021%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1318931234&rft_id=info:pmid/&rft_els_id=S0167404812001721&rfr_iscdi=true