Analysis of time information for digital investigation

Jewan Bang; Byeongyeong Yoo; Jongsung Kim; Sangjin Lee

doi:10.1109/NCM.2009.258

Analysis of time information for digital investigation

Jewan Bang, Byeongyeong Yoo, Jongsung Kim, Sangjin Lee

School of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

11 Citations (Scopus)

Abstract

In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.

Original language	English
Title of host publication	NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC
Pages	1858-1864
Number of pages	7
DOIs	https://doi.org/10.1109/NCM.2009.258
Publication status	Published - 2009
Event	NCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications - Seoul, Korea, Republic of Duration: 2009 Aug 25 → 2009 Aug 27

Publication series

Name	NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC

Other

Other	NCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications
Country/Territory	Korea, Republic of
City	Seoul
Period	09/8/25 → 09/8/27

Keywords

Digital investigation
File system
Time
Windows

ASJC Scopus subject areas

Computer Graphics and Computer-Aided Design
Computer Science Applications
Software

Access to Document

10.1109/NCM.2009.258

Cite this

Bang, J, Yoo, B, Kim, J & Lee, S 2009, Analysis of time information for digital investigation. in NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC., 5331448, NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC, pp. 1858-1864, NCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications, Seoul, Korea, Republic of, 09/8/25. https://doi.org/10.1109/NCM.2009.258

@inproceedings{53d4866866a643c29dae3731f31c3d7e,

title = "Analysis of time information for digital investigation",

abstract = "In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.",

keywords = "Digital investigation, File system, Time, Windows",

author = "Jewan Bang and Byeongyeong Yoo and Jongsung Kim and Sangjin Lee",

year = "2009",

doi = "10.1109/NCM.2009.258",

language = "English",

isbn = "9780769537696",

series = "NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC",

pages = "1858--1864",

booktitle = "NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC",

note = "NCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications ; Conference date: 25-08-2009 Through 27-08-2009",

}

TY - GEN

T1 - Analysis of time information for digital investigation

AU - Bang, Jewan

AU - Yoo, Byeongyeong

AU - Kim, Jongsung

AU - Lee, Sangjin

PY - 2009

Y1 - 2009

N2 - In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.

AB - In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.

KW - Digital investigation

KW - File system

KW - Time

KW - Windows

UR - http://www.scopus.com/inward/record.url?scp=73549099132&partnerID=8YFLogxK

U2 - 10.1109/NCM.2009.258

DO - 10.1109/NCM.2009.258

M3 - Conference contribution

AN - SCOPUS:73549099132

SN - 9780769537696

T3 - NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC

SP - 1858

EP - 1864

BT - NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC

T2 - NCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications

Y2 - 25 August 2009 through 27 August 2009

ER -

Analysis of time information for digital investigation

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this