{"title":"Forensic Application-Fingerprinting Based on File System Metadata","authors":"S. Kalber, Andreas Dewald, F. Freiling","doi":"10.1109/IMF.2013.20","DOIUrl":null,"url":null,"abstract":"While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.","PeriodicalId":352053,"journal":{"name":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","volume":"137 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"24","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 Seventh International Conference on IT Security Incident Management and IT Forensics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IMF.2013.20","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 24
Abstract
While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
