[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.9708/jksci.2019.24.09.051

A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS

Cho, Gyu-Sang (Dept. of Computer, Dongyang University)

Publication Information

Journal of the Korea Society of Computer and Information / v.24, no.9, 2019 , pp. 51-58 More about this Journal

Abstract

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

Keywords

$STANADARD_INFORMATION Attribute; $FILE_NAME Attribute; Timestamp Change Tool; NTFS Filesystem;

Citations & Related Records

Times Cited By KSCI : 2 (Citation Analysis)

Reference
Cited By KSCI

1	eXpress TimeStamp Toucher, "https://www.softpedia.com/get/System/File-Management/TimeStamp-Toucher.shtml
2	NewFileTime,"https://www.softwareok.com/?seite=Microsoft/NewFileTime"
3	Bulk File Changer, "https://www.nirsoft.net/utils/bulk_file_changer.html"
4	SKTimeStamp, https://tools.stefankueng.com/SKTimeStamp.html
5	Sebastian Neuner et. al., "Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS", Proc. of the 12th Int. Conf. on Availability, Reliability and Security(ARES '17), Aug. 29, 2017.
6	Gyu-Sang Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS", Computer & Security, Vol. 34, pp. 36-46, 2013. 3] DOI
7	X. Ding, H. Zou, "Reliable Time Based Forensics in NTFS", 2010 Annual Computer Security Applications Conference, Dec. 6-10, 2010.
8	P. Zdzichowski et.al., "Anti-Forensic Study", NATO CCDCOE(NATO Cooperative Cyber Defence Centre of Excellence), www.ccdcoe.org, 2015.
9	Gyu-Sang Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics", International Journal of Internet, Broadcasting and Communication, vol. 8, no. 3, pp. 31-40, 2016.8 DOI
10	Wicher Minnaard, "Timestomping NTFS," IMSc final research project report, University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science, 2014.
11	Gyu-Sang Cho, "A Steganographic Data Hiding Method in Timestamps by Bit Correction Technique for Anti-Forensics", Journal of The Korea Society of Computer and Information, Vol. 23 No. 8, pp. 75-84, August 2018.8 DOI
12	Neuner, S. et. al., "Time is on my side: stegano- graphy in filesystem metadata," Digital Investigation, 18, pp. S76-S86. 2016. DOI
13	A. Gungor, "Date Forgery Analysis and Timestamp Resolution", https://www.meridiandiscovery.com/articles/date-forgery-analysis-timestamp-resolution/, August 11, 2014
14	T. Gobel and H. Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, 24, pp. S111-S120, 2018. DOI
15	INFO: Working with the FILETIME Structure, https://support.microsoft.com/en-us/help/188768/info-working-with-the-filetime-structure
16	Microsoft Windows Dev Center, "SetFileTime function", https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfiletime
17	Microsoft Hardware Dev Center, "NtSetInformation File function", https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ddi/content/ntfs/nf-ntifs-ntsetinformationfile
18	Microsoft Hardware Dev Center, "FILE_BASIC_INFORMATION sturcture", https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-file_basic_information
19	SetMace, "https://github.com/jschicht/SetMace"
20	Metasploit Anti Forensics Project, http://www.metasploit.com/research/projects/antiforensics
21	Microsoft Hardware Dev Center, "IRP_MJ_WRITE", https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ifs/irp-mj-write
22	Ahmed A. Bahjat and Jim Jones, "Deleted file fragment dating by analysis of allocated neighbors", Digital Investigation, Vol.28, pp. S60-S67, 2019. DOI
23	Gyu-Sang Cho, "Digital Forensic Analysis of Timestamp Change Tools: An Anti-Forensics Perspective", Proceedings of KSCI Summer Conference 2019 Vol. 27 No. 2, pp. 391-392, July 2019.
24	FileTouch, "http://www.softtreetech.com/24x7/archive/47.htm"
25	chtime, "https://github.com/Loadmaster/chtime-win32"