Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation

Junghoon Oh, Sangjin Lee, Hyunuk Hwang

    Research output: Contribution to journalArticlepeer-review

    Abstract

    File system forensics is one of the most important areas of digital forensic investigations. To date, various file system forensic methods have been studied, of which anti-forensic countermeasures include deleted file recovery, metadata recovery, and metadata manipulation detection. In particular, manipulation detection of timestamps, which are important file metadata, is one of the key techniques in digital forensic investigations. Existing detection methods for file timestamp manipulation in the New Technology File System (NTFS) have been studied based on various file system and operating system artifacts. This paper compares and analyzes the features and limitations of various existing detection methods and confirms that the NTFS journal-based detection method is the most effectively way to detect timestamp manipulation. However, previous NTFS journal-based detection methods have limitations such as incorrectly identifying normal events as manipulation or detecting manipulation only in limited cases. Therefore, we propose a new detection algorithm that can overcome these limitations. The proposed detection algorithm was implemented as a tool and verified through performance comparison experiments with existing detection methods. The results of experiment showed that the proposed detection algorithm has significantly improved performance by detecting timestamp manipulations that were not detected by previous detection methods and identifying normal events that were misidentified by existing detection methods. Finally, we introduce a case in which existing detection methods and the proposed detection algorithm are applied to malware that performs file timestamp manipulation in real-world advanced persistent threat attacks. The results of which confirm the superiority of the proposed detection algorithm.

    Original languageEnglish
    Pages (from-to)72544-72565
    Number of pages22
    JournalIEEE Access
    Volume12
    DOIs
    Publication statusPublished - 2024

    Bibliographical note

    Publisher Copyright:
    © 2013 IEEE.

    Keywords

    • anti-forensic countermeasures
    • File system
    • forensic detection
    • forensics
    • timestamp manipulation

    ASJC Scopus subject areas

    • General Computer Science
    • General Materials Science
    • General Engineering

    Fingerprint

    Dive into the research topics of 'Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation'. Together they form a unique fingerprint.

    Cite this