본문 바로가기
  • Home

A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS

  • Journal of The Korea Society of Computer and Information
  • Abbr : JKSCI
  • 2019, 24(9), pp.51-58
  • DOI : 10.9708/jksci.2019.24.09.051
  • Publisher : The Korean Society Of Computer And Information
  • Research Area : Engineering > Computer Science
  • Received : August 12, 2019
  • Accepted : September 6, 2019
  • Published : September 30, 2019

Cho Gyu Sang 1

1동양대학교

Accredited

ABSTRACT

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

Citation status

* References for papers published after 2022 are currently being built.

This paper was written with support from the National Research Foundation of Korea.