Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation

Autor: Junghoon Oh, Sangjin Lee, Hyunuk Hwang
Jazyk: angličtina
Rok vydání: 2024
Předmět:
Zdroj: IEEE Access, Vol 12, Pp 72544-72565 (2024)
Druh dokumentu: article
ISSN: 2169-3536
DOI: 10.1109/ACCESS.2024.3395644
Popis: File system forensics is one of the most important areas of digital forensic investigations. To date, various file system forensic methods have been studied, of which anti-forensic countermeasures include deleted file recovery, metadata recovery, and metadata manipulation detection. In particular, manipulation detection of timestamps, which are important file metadata, is one of the key techniques in digital forensic investigations. Existing detection methods for file timestamp manipulation in the New Technology File System (NTFS) have been studied based on various file system and operating system artifacts. This paper compares and analyzes the features and limitations of various existing detection methods and confirms that the NTFS journal-based detection method is the most effectively way to detect timestamp manipulation. However, previous NTFS journal-based detection methods have limitations such as incorrectly identifying normal events as manipulation or detecting manipulation only in limited cases. Therefore, we propose a new detection algorithm that can overcome these limitations. The proposed detection algorithm was implemented as a tool and verified through performance comparison experiments with existing detection methods. The results of experiment showed that the proposed detection algorithm has significantly improved performance by detecting timestamp manipulations that were not detected by previous detection methods and identifying normal events that were misidentified by existing detection methods. Finally, we introduce a case in which existing detection methods and the proposed detection algorithm are applied to malware that performs file timestamp manipulation in real-world advanced persistent threat attacks. The results of which confirm the superiority of the proposed detection algorithm.
Databáze: Directory of Open Access Journals