A Design of Timestamp Manipulation Detection Method using Storage Performance in NTFS (NTFS에서 저장장치 성능을 활용한 타임스탬프 변조 탐지 기법 설계)

Song JongHwa (송종화); Hyun-Seob Lee (이현섭)

doi:10.20465/KIOTS.2023.9.6.023

A Design of Timestamp Manipulation Detection Method using Storage Performance in NTFS

Journal of Internet of Things and Convergence
Abbr : JKIOTS
2023, 9(6), pp.23-28
DOI : 10.20465/KIOTS.2023.9.6.023
Publisher : The Korea Internet of Things Society
Research Area : Engineering > Computer Science > Internet Information Processing
Received : October 12, 2023
Accepted : December 14, 2023
Published : December 29, 2023

Song JongHwa ¹, Hyun-Seob Lee ²

¹성균관대학교
²백석대학교

Accredited

ABSTRACT

Windows operating system generates various logs with timestamps. Timestamp tampering is an act of anti-forensics in which a suspect manipulates the timestamps of data related to a crime to conceal traces, making it difficult for analysts to reconstruct the situation of the incident. This can delay investigations or lead to the failure of obtaining crucial digital evidence. Therefore, various techniques have been developed to detect timestamp tampering. However, there is a limitation in detection if a suspect is aware of timestamp patterns and manipulates timestamps skillfully or alters system artifacts used in timestamp tampering detection. In this paper, a method is designed to detect changes in timestamps, even if a suspect alters the timestamp of a file on a storage device, it is challenging to do so with precision beyond millisecond order. In the proposed detection method, the first step involves verifying the timestamp of a file suspected of tampering to determine its write time. Subsequently, the confirmed time is compared with the file size recorded within that time, taking into consideration the performance of the storage device. Finally, the total capacity of files written at a specific time is calculated, and this is compared with the maximum input and output performance of the storage device to detect any potential file tampering.

KEYWORDS

Timestamp, Manipulation Detection, Storage, NTFS, Anti-forensics

Citation status

* References for papers published after 2023 are currently being built.

[journal] 이근기 / 2014 / Study on advanced analysis method based on timeline chart for Digital Forensic Investigation / 한국항행학회논문지 / 한국항행학회 18(1) : 50~55

[journal] J. W. Bang / 2011 / Analysis of changes in file time attributes with file manipulation / Digital Investigation 7(3) : 135~144

[journal] G. S. Cho / 2013 / A computer forensic method for detecting timestamp forgery in NTFS / Computers & Security 34 : 36~46

[journal] 조규상 / 2014 / A Digital Forensic Method by an Evaluation Function Based on Timestamp Changing Patterns / (사)디지털산업정보학회 논문지 / (사)디지털산업정보학회 10(2) : 91~105

[confproc] D. I. Jang / 2016 / Understanding Anti-forensic Techniques with Timestamp Manipulation / 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI) : 609~614

[thesis] H. J. Yoon / 2018 / A study on user behavior tracking using $UsnJrnl / Master / Seoul University

[thesis] J. H. Jeong / 2022 / A study on document reading and writing traces through NTFS file system journal file analysis / Master / Seoul University

[confproc] J. Bouma / 2023 / Reconstructing Timelines : From NTFS Timestamps to File Histories / ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security (154) : 1~9

[journal] D. Palmbach / 2020 / Artifacts for Detecting Timestamp Manipulation in NTFS on Windows and Their Reliability / Forensic Science International:Digital Investigation 32 : S1~S9

[journal] A. Mohamed / 2021 / Detection of Suspicious Timestamps in NTFS using Volume Shadow Copies / International Journal of Computer Network and Information Security 13(4) : 62~69

[confproc] M. Galhuber / 2021 / Time for Truth : Forensic Analysis of NTFS Timestamps / ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security (44) : 1~10

[journal] 조규상 / 2019 / A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS / 한국컴퓨터정보학회논문지 / 한국컴퓨터정보학회 24(9) : 51~58

[journal] 이상현 / 2016 / A Study on the Evidence Investigation of Forged/Modulated Time-Stamp at iOS(iPhone, iPad) / 정보처리학회논문지. 컴퓨터 및 통신시스템 / 한국정보처리학회 5(7) : 173~180

[journal] 한재혁 / 2022 / A Study on the Processing of Timestamps in the Creation of Multimedia Files on Mobile Devices / JIPS(Journal of Information Processing Systems) / 한국정보처리학회 18(3) : 402~410

[journal] A. Mohamed / 2019 / Detection of Timestamps Tampering in NTFS using Machine Learning / Procedia Computer Science 160 : 778~784

[journal] S. Neuner / 2016 / Time is on my side : Steganography in filesystem metadata / Digital Investigation 18(7) : 76~86

[journal] 조규상 / 2016 / Data Hiding in NTFS Timestamps for Anti-Forensics / The International Journal of Internet, Broadcasting and Communication / 한국인터넷방송통신학회 8(3) : 31~40

This paper was written with support from the National Research Foundation of Korea.

KJCKorea
Journal Central

Journal of Internet of Things and Convergence 2023 KCI Impact Factor : 0.89

A Design of Timestamp Manipulation Detection Method using Storage Performance in NTFS

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of Internet of Things and Convergence 2023 KCI Impact Factor : 0.89

A Design of Timestamp Manipulation Detection Method using Storage Performance in NTFS

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (0)

REFERENCES (17) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.