Browse > Article
http://dx.doi.org/10.17662/ksdim.2014.10.2.091

A Digital Forensic Method by an Evaluation Function Based on Timestamp Changing Patterns  

Cho, Gyu Sang (동양대학교 컴퓨터정보전학과)
Publication Information
Journal of Korea Society of Digital Industry and Information Management / v.10, no.2, 2014 , pp. 91-105 More about this Journal
Abstract
This paper proposes a digital forensic method by an evaluation function based on timestamp changing patterns. Operations on file or folder leave changed timestamps, which give the ways to know what operations were executed. Changes of timestamps of ten operations of a file and eight operations of a folder were examined. Analyses on the changes on the eight folder operations are newly added in this paper, which are not performed in the previous works. Based on the timestamps changes of the file and the folder, two evaluation functions are proposed. The first evaluation function checks whether timestamps are changed by file and folder operations, and the second evaluation function checks whether timestamps are originated from a source file or other attribute field. By the two output values from these evaluation functions, a digital forensic investigation on the file or the folder is performed. With some cases, i. e. file copy and folder creation operations, the proposed forensic method is tested for its usefulness.
Keywords
Digital Forensics; Timestamp Changing Pattern; Forensic Evaluation Function; Event Reconstruction; NTFS Filesystem;
Citations & Related Records
연도 인용수 순위
  • Reference
1 B. Carrier, File System Forensic Analysis, Addison- Wesley, 2005, pp. 340-341.
2 E. Casey, "Uncertainty and Loss in Digital Evidence," International Journal of Digital Evidence, vol. 1:2, Summer 2002.
3 K. P. Chow et. al., "The Rules of Time on NTFS File System," SADFE '07, March 2007, pp. 71-85.
4 S. Willasen, "Hypothesis-based Investigation of Digital Timestamps," IFIP Internation Federation for Information Processing, Vol. 285; Advances in Digital Forensics IV; 2008, pp. 75-86.   DOI
5 Gyu-Sang Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS," Computer & Security, Vol. 34, 2013, pp. 36-46.   DOI   ScienceOn
6 Gyu-Sang Cho, "An Intuitive Computer Forensic Method by Timestamp Changing Patterns," Proceedings of IMIS 2014, Birmingham, UK, July 2014, (to be published)
7 C. Boyd and P. Forster, "Time and Date Issues in Forensic Computing - A Case Study," Digital Investigation, vol. 1, no. 1, Feb. 2004, pp. 18-23.   DOI   ScienceOn
8 M. W. Stevens, "Unification of relative time frames for digital forensics," Digital Investigation, Jan. 2004, pp. 225-239.
9 조규상, "컴퓨터 포렌식을 위한 NTFS 저널 파일의 분석," 디지털 포렌식 연구(ISSN 1976-5304), 3권, 1호, 2009. 6, pp 51-60.
10 김태한, 조규상, "NTFS 파일 시스템의 저널 파일을 이용한 파일 생성에 대한 디지털 포렌식 방법," 디지털 산업정보학회 논문지, 6권, 2호, 2010, pp. 107-118.
11 Gyu-Sang Cho, Marcus K. Rogers, "Finding Forensic Information on Creating a Folder in $LogFile of NTFS," LNICST-ICDF2C 2011 proceedings, vol. 3, 2012.
12 Wikipedia, MAC times, http://en.wikipedia. org/wiki/MAC_times
13 Microsoft Technet, "Filesystem/NTFS File Attribute," http://technet.microsoft.com/en-us/ library/cc938928.aspx