Browse > Article
http://dx.doi.org/10.9708/jksci.2019.24.09.051

A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS  

Cho, Gyu-Sang (Dept. of Computer, Dongyang University)
Abstract
Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.
Keywords
$STANADARD_INFORMATION Attribute; $FILE_NAME Attribute; Timestamp Change Tool; NTFS Filesystem;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 eXpress TimeStamp Toucher, "https://www.softpedia.com/get/System/File-Management/TimeStamp-Toucher.shtml
2 NewFileTime,"https://www.softwareok.com/?seite=Microsoft/NewFileTime"
3 Bulk File Changer, "https://www.nirsoft.net/utils/bulk_file_changer.html"
4 SKTimeStamp, https://tools.stefankueng.com/SKTimeStamp.html
5 Sebastian Neuner et. al., "Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS", Proc. of the 12th Int. Conf. on Availability, Reliability and Security(ARES '17), Aug. 29, 2017.
6 Gyu-Sang Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS", Computer & Security, Vol. 34, pp. 36-46, 2013. 3]   DOI
7 X. Ding, H. Zou, "Reliable Time Based Forensics in NTFS", 2010 Annual Computer Security Applications Conference, Dec. 6-10, 2010.
8 P. Zdzichowski et.al., "Anti-Forensic Study", NATO CCDCOE(NATO Cooperative Cyber Defence Centre of Excellence), www.ccdcoe.org, 2015.
9 Gyu-Sang Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics", International Journal of Internet, Broadcasting and Communication, vol. 8, no. 3, pp. 31-40, 2016.8   DOI
10 Wicher Minnaard, "Timestomping NTFS," IMSc final research project report, University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science, 2014.
11 Gyu-Sang Cho, "A Steganographic Data Hiding Method in Timestamps by Bit Correction Technique for Anti-Forensics", Journal of The Korea Society of Computer and Information, Vol. 23 No. 8, pp. 75-84, August 2018.8   DOI
12 Neuner, S. et. al., "Time is on my side: stegano- graphy in filesystem metadata," Digital Investigation, 18, pp. S76-S86. 2016.   DOI
13 A. Gungor, "Date Forgery Analysis and Timestamp Resolution", https://www.meridiandiscovery.com/articles/date-forgery-analysis-timestamp-resolution/, August 11, 2014
14 T. Gobel and H. Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, 24, pp. S111-S120, 2018.   DOI
15 INFO: Working with the FILETIME Structure, https://support.microsoft.com/en-us/help/188768/info-working-with-the-filetime-structure
16 Microsoft Windows Dev Center, "SetFileTime function", https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfiletime
17 Microsoft Hardware Dev Center, "NtSetInformation File function", https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ddi/content/ntfs/nf-ntifs-ntsetinformationfile
18 Microsoft Hardware Dev Center, "FILE_BASIC_INFORMATION sturcture", https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-file_basic_information
19 SetMace, "https://github.com/jschicht/SetMace"
20 Metasploit Anti Forensics Project, http://www.metasploit.com/research/projects/antiforensics
21 Microsoft Hardware Dev Center, "IRP_MJ_WRITE", https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ifs/irp-mj-write
22 Ahmed A. Bahjat and Jim Jones, "Deleted file fragment dating by analysis of allocated neighbors", Digital Investigation, Vol.28, pp. S60-S67, 2019.   DOI
23 Gyu-Sang Cho, "Digital Forensic Analysis of Timestamp Change Tools: An Anti-Forensics Perspective", Proceedings of KSCI Summer Conference 2019 Vol. 27 No. 2, pp. 391-392, July 2019.
24 FileTouch, "http://www.softtreetech.com/24x7/archive/47.htm"
25 chtime, "https://github.com/Loadmaster/chtime-win32"