Detection of Suspicious Timestamps in NTFS using Volume Shadow Copies
Автор: Alji Mohamed, Chougdali Khalid
Журнал: International Journal of Computer Network and Information Security @ijcnis
Статья в выпуске: 4 vol.13, 2021 года.
Бесплатный доступ
When a computer gets involved in a crime, it is the mission of the digital forensic experts to extract the left binary artifacts on that device. Among those artifacts, there may be some volume shadow copy files left on the Windows operating system. Those files are snapshots of the volume recorded by the system in case of a needed restore to a specific past date. Before this study, we did not know if the valuable forensic information hold within those snapshot files can be exploited to locate suspicious timestamps in an NTFS formatted partition. This study provides the reader with an inter-snapshot time analysis for detecting file system timestamp manipulation. In other words, we will leverage the presence of the time information within multiples volume shadow copies to detect any suspicious tampering of the file system timestamps. A detection algorithm of the suspicious timestamps is contributed. Its main role is to assist the digital investigator to spot the manipulation if it has occurred. In addition, a virtual environment has been set up to validate the use of the proposed algorithm for the detection.
Timestamp Manipulation, MACB Tampering, Time Forgery, Inter-snapshot Analysis, Volume Shadow Copy
Короткий адрес: https://sciup.org/15017877
IDR: 15017877 | DOI: 10.5815/ijcnis.2021.04.06
Список литературы Detection of Suspicious Timestamps in NTFS using Volume Shadow Copies
- Shuaibur Rahman, M. N. A. Khan,"Digital Forensics through Application Behavior Analysis", International Journal of Modern Education and Computer Science(IJMECS), Vol.8, No.6, pp.50-56, 2016. DOI: 10.5815/ijmecs.2016.06.07
- T. Raja Sree, S. Mary Saira Bhanu," Investigation of Application Layer DDoS Attacks Using Clustering Techniques", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.8, No.3, pp.1-13, 2018.DOI: 10.5815/ijwmt.2018.03.01
- Dhwaniket Ramesh Kamble, Nilakshi Jain, Swati Deshpande,"Cybercrimes Solutions using Digital Forensic Tools", IJWMT, vol.5, no.6, pp.11-18, 2015.DOI: 10.5815/ijwmt.2015.06.02
- Chow, K.-P., Law, F. Y., Kwan, M. Y., & Lai, P. K. (2007). The rules of time on ntfs file system. In Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’07), pages 71–85. IEEE, DOI: 10.1109/SADFE.2007.22.
- Minnaard, W., de Laat, C., & van Loosen MSc, M. (2014). Timestomping ntfs https://delaat.net/rp/2013-2014/p48/report.pdf last accessed: 20/02/2021
- Documentation online, Microsoft (2018a). Master file table (online) https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table last accessed: 20/02/2021.
- Carrier, B. (2005).File system forensic analysis. Addison-Wesley Professional.
- Documentation online, Microsoft (2018b). File times (online) https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times Last accessed: 20/02/2021.
- Neuner, S. & all (2016). Time is on my side: Steganography in filesystem metadata.Digital Investigation, 18:S76 – S86, DOI: 10.1016/j.diin.2016.04.010.
- Carvey, H. (2014). In Carvey, H., editor,Windows Forensic Analysis Toolkit (Fourth Edition). Syngress, Boston, fourth edition edition.
- Sreeja, S. C. & Balan, C. (2016). Forensic analysis of volume shadow copy in windows 7. In2016 International Conference on EmergingTechnological Trends (ICETT), pages 1–6, DOI:10.1109/ICETT.2016.7873670.
- Jang, D.-i., Hwang, G.-J. A. H., & Kim, K. (2016). Understanding anti-forensic techniques with timestamp manipulation. In2016 IEEE17th International Conference on Information Reuse and Integration (IRI), pages 609–614. IEEE, DOI: 10.1109/IRI.2016.94.
- MITRE A. (2017). Win32/usb stealer, https://attack.mitre.org/software/S0136/ (online) last accessed: 20/02/2021.
- Gungor, A. (2014). Date forgery analysis and timestamp resolution. (online) https://www.meridiandiscovery.com/articles/date-forgery-analysis-timestamp-resolution/ last accessed: 20/02/2021.
- Alji, M., & Chougdali, K. (2019). Detection of Timestamps Tampering in NTFS using Machine Learning. Procedia Computer Science, 160, 778-784, DOI: 10.1016/j.procs.2019.11.011.
- Garfinkel, S., Farrell, P., Roussev, V., & Dinolt, G. (2009). Bringing science to digital forensics with standardized forensic corpora.digital investigation, 6:S2–S11, DOI: 10.1016/j.diin.2009.06.016.
- Cho, G.-S. (2013). A computer forensic method for detecting timestamp forgery in ntfs.Comput. Secur., 34:36–46. DOI:10.1016/j.cose.2012.11.003.
