Journal of Korea Society of Digital Industry and Information Management (디지털산업정보학회논문지)

Korea Society of Digital Industry and Information Management (디지털산업정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Digital Forensic Method by an Evaluation Function Based on Timestamp Changing Patterns

타임스탬프 변화패턴을 근거로 한 평가함수에 의한 디지털 포렌식 방법

  • 조규상 (동양대학교 컴퓨터정보전학과)
  • Received : 2014.05.14
  • Accepted : 2014.06.02
  • Published : 2014.06.30
⟨ Previous Next ⟩

Abstract

This paper proposes a digital forensic method by an evaluation function based on timestamp changing patterns. Operations on file or folder leave changed timestamps, which give the ways to know what operations were executed. Changes of timestamps of ten operations of a file and eight operations of a folder were examined. Analyses on the changes on the eight folder operations are newly added in this paper, which are not performed in the previous works. Based on the timestamps changes of the file and the folder, two evaluation functions are proposed. The first evaluation function checks whether timestamps are changed by file and folder operations, and the second evaluation function checks whether timestamps are originated from a source file or other attribute field. By the two output values from these evaluation functions, a digital forensic investigation on the file or the folder is performed. With some cases, i. e. file copy and folder creation operations, the proposed forensic method is tested for its usefulness.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. Wikipedia, MAC times, http://en.wikipedia. org/wiki/MAC_times
  2. Microsoft Technet, "Filesystem/NTFS File Attribute," http://technet.microsoft.com/en-us/ library/cc938928.aspx
  3. B. Carrier, File System Forensic Analysis, Addison- Wesley, 2005, pp. 340-341.
  4. E. Casey, "Uncertainty and Loss in Digital Evidence," International Journal of Digital Evidence, vol. 1:2, Summer 2002.
  5. K. P. Chow et. al., "The Rules of Time on NTFS File System," SADFE '07, March 2007, pp. 71-85.
  6. S. Willasen, "Hypothesis-based Investigation of Digital Timestamps," IFIP Internation Federation for Information Processing, Vol. 285; Advances in Digital Forensics IV; 2008, pp. 75-86. https://doi.org/10.1007/978-0-387-84927-0_7
  7. Gyu-Sang Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS," Computer & Security, Vol. 34, 2013, pp. 36-46. https://doi.org/10.1016/j.cose.2012.11.003
  8. Gyu-Sang Cho, "An Intuitive Computer Forensic Method by Timestamp Changing Patterns," Proceedings of IMIS 2014, Birmingham, UK, July 2014, (to be published)
  9. C. Boyd and P. Forster, "Time and Date Issues in Forensic Computing - A Case Study," Digital Investigation, vol. 1, no. 1, Feb. 2004, pp. 18-23. https://doi.org/10.1016/j.diin.2004.01.002
  10. M. W. Stevens, "Unification of relative time frames for digital forensics," Digital Investigation, Jan. 2004, pp. 225-239.
  11. 조규상, "컴퓨터 포렌식을 위한 NTFS 저널 파일의 분석," 디지털 포렌식 연구(ISSN 1976-5304), 3권, 1호, 2009. 6, pp 51-60.
  12. 김태한, 조규상, "NTFS 파일 시스템의 저널 파일을 이용한 파일 생성에 대한 디지털 포렌식 방법," 디지털 산업정보학회 논문지, 6권, 2호, 2010, pp. 107-118.
  13. Gyu-Sang Cho, Marcus K. Rogers, "Finding Forensic Information on Creating a Folder in $LogFile of NTFS," LNICST-ICDF2C 2011 proceedings, vol. 3, 2012.