![]() ![]() ![]() A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS. In 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. An Intuitive Computer Forensic Method by Timestamp Changing Patterns. A computer forensic method for detecting timestamp forgery in NTFS. How to edit timestamps with Windows PowerShell - gHacks Tech News. Analysis of changes in file time attributes with file manipulation. Jewan Bang, Byeongyeong Yoo, and Sangjin Lee.Analysis of time information for digital investigation. Jewan Bang, Byeongyeong Yoo, Jongsung Kim, and Sangjin Lee.Ubiquitous Computing and Communication Journal 4, 1 (2009), 551–558. Effective digital forensic analysis of the NTFS disk image. Mamoun Alazab, Sitalakshmi Venkatraman, and Paul Watters.Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. Timeline forgery a widely employed technique in computer anti-forensics. ![]()
0 Comments
Leave a Reply. |