Back to Search Start Over

Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation

Authors :
Junghoon Oh
Sangjin Lee
Hyunuk Hwang
Source :
IEEE Access, Vol 12, Pp 72544-72565 (2024)
Publication Year :
2024
Publisher :
IEEE, 2024.

Abstract

File system forensics is one of the most important areas of digital forensic investigations. To date, various file system forensic methods have been studied, of which anti-forensic countermeasures include deleted file recovery, metadata recovery, and metadata manipulation detection. In particular, manipulation detection of timestamps, which are important file metadata, is one of the key techniques in digital forensic investigations. Existing detection methods for file timestamp manipulation in the New Technology File System (NTFS) have been studied based on various file system and operating system artifacts. This paper compares and analyzes the features and limitations of various existing detection methods and confirms that the NTFS journal-based detection method is the most effectively way to detect timestamp manipulation. However, previous NTFS journal-based detection methods have limitations such as incorrectly identifying normal events as manipulation or detecting manipulation only in limited cases. Therefore, we propose a new detection algorithm that can overcome these limitations. The proposed detection algorithm was implemented as a tool and verified through performance comparison experiments with existing detection methods. The results of experiment showed that the proposed detection algorithm has significantly improved performance by detecting timestamp manipulations that were not detected by previous detection methods and identifying normal events that were misidentified by existing detection methods. Finally, we introduce a case in which existing detection methods and the proposed detection algorithm are applied to malware that performs file timestamp manipulation in real-world advanced persistent threat attacks. The results of which confirm the superiority of the proposed detection algorithm.

Details

Language :
English
ISSN :
21693536
Volume :
12
Database :
Directory of Open Access Journals
Journal :
IEEE Access
Publication Type :
Academic Journal
Accession number :
edsdoj.947c8e3939540739ddeba26b1359767
Document Type :
article
Full Text :
https://doi.org/10.1109/ACCESS.2024.3395644