Time for Truth: Forensic Analysis of NTFS Timestamps

Proceedings of the 16th International Conference on Availability, Reliability and Security Pub Date : 2021-08-16 DOI:10.1145/3465481.3470016

Michael Galhuber, R. Luh

{"title":"Time for Truth: Forensic Analysis of NTFS Timestamps","authors":"Michael Galhuber, R. Luh","doi":"10.1145/3465481.3470016","DOIUrl":null,"url":null,"abstract":"Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3465481.3470016","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

时间真相:NTFS时间戳的法医分析

时间轴伪造是计算机反取证中广泛应用的技术。大量免费提供和易于使用的篡改工具使法医科学家难以收集合法有效的证据并重建可信的时间线。与此同时，真正用户可能执行的大量文件操作可能导致时间戳模式的多样性，这在重建事件链时构成了挑战，特别是因为应用程序特定的差异经常被忽略。在本文中，我们研究了NTFS中常见用户操作产生的时间戳模式，为从旧实验中获得的Windows时间规则提供了急需的更新。我们展示了特定的应用程序可能导致偏离预期的行为，并为分析人员提供了一套针对所有允许的NTFS文件操作的全面的行为规则。最后，我们分析了7种第三方时间戳伪造工具以及自定义PowerShell解决方案的效果和功效，并强调了指向数据伪造的取证工件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the 16th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量