Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS

  • Received : 2019.08.12
  • Accepted : 2019.09.06
  • Published : 2019.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Temporal analysis is very useful and important for digital forensics for reconstructing the timeline of digital events. Forgery of a file's timestamp can lead to inconsistencies in the overall temporal relationship, making it difficult to analyze the timeline in reconstructing actions or events and the results of the analysis might not be reliable. The purpose of the timestamp change is to hide the data in a steganographic way, and the other purpose is for anti-forensics. In both cases, the time stamp change tools are requested to use. In this paper, we propose a classification method based on the behavior of the timestamp change tools. The timestamp change tools are categorized three types according to patterns of the changed timestamps after using the tools. By analyzing the changed timestamps, it can be decided what kind of tool is used. And we show that the three types of the patterns are closely related to API functions which are used to develop the tools.

Keywords

References

  1. Sebastian Neuner et. al., "Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS", Proc. of the 12th Int. Conf. on Availability, Reliability and Security(ARES '17), Aug. 29, 2017.
  2. Gyu-Sang Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS", Computer & Security, Vol. 34, pp. 36-46, 2013. 3] https://doi.org/10.1016/j.cose.2012.11.003
  3. X. Ding, H. Zou, "Reliable Time Based Forensics in NTFS", 2010 Annual Computer Security Applications Conference, Dec. 6-10, 2010.
  4. P. Zdzichowski et.al., "Anti-Forensic Study", NATO CCDCOE(NATO Cooperative Cyber Defence Centre of Excellence), www.ccdcoe.org, 2015.
  5. Wicher Minnaard, "Timestomping NTFS," IMSc final research project report, University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science, 2014.
  6. Gyu-Sang Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics", International Journal of Internet, Broadcasting and Communication, vol. 8, no. 3, pp. 31-40, 2016.8 https://doi.org/10.7236/IJIBC.2016.8.3.31
  7. Gyu-Sang Cho, "A Steganographic Data Hiding Method in Timestamps by Bit Correction Technique for Anti-Forensics", Journal of The Korea Society of Computer and Information, Vol. 23 No. 8, pp. 75-84, August 2018.8 https://doi.org/10.9708/JKSCI.2018.23.08.075
  8. Neuner, S. et. al., "Time is on my side: stegano- graphy in filesystem metadata," Digital Investigation, 18, pp. S76-S86. 2016. https://doi.org/10.1016/j.diin.2016.04.010
  9. T. Gobel and H. Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, 24, pp. S111-S120, 2018. https://doi.org/10.1016/j.diin.2018.01.014
  10. INFO: Working with the FILETIME Structure, https://support.microsoft.com/en-us/help/188768/info-working-with-the-filetime-structure
  11. Microsoft Windows Dev Center, "SetFileTime function", https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfiletime
  12. A. Gungor, "Date Forgery Analysis and Timestamp Resolution", https://www.meridiandiscovery.com/articles/date-forgery-analysis-timestamp-resolution/, August 11, 2014
  13. Microsoft Hardware Dev Center, "NtSetInformation File function", https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ddi/content/ntfs/nf-ntifs-ntsetinformationfile
  14. Microsoft Hardware Dev Center, "FILE_BASIC_INFORMATION sturcture", https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-file_basic_information
  15. Metasploit Anti Forensics Project, http://www.metasploit.com/research/projects/antiforensics
  16. SetMace, "https://github.com/jschicht/SetMace"
  17. Microsoft Hardware Dev Center, "IRP_MJ_WRITE", https://docs.microsoft.com/ko-kr/windows-hardware/drivers/ifs/irp-mj-write
  18. Ahmed A. Bahjat and Jim Jones, "Deleted file fragment dating by analysis of allocated neighbors", Digital Investigation, Vol.28, pp. S60-S67, 2019. https://doi.org/10.1016/j.diin.2019.01.015
  19. Gyu-Sang Cho, "Digital Forensic Analysis of Timestamp Change Tools: An Anti-Forensics Perspective", Proceedings of KSCI Summer Conference 2019 Vol. 27 No. 2, pp. 391-392, July 2019.
  20. FileTouch, "http://www.softtreetech.com/24x7/archive/47.htm"
  21. chtime, "https://github.com/Loadmaster/chtime-win32"
  22. SKTimeStamp, https://tools.stefankueng.com/SKTimeStamp.html
  23. eXpress TimeStamp Toucher, "https://www.softpedia.com/get/System/File-Management/TimeStamp-Toucher.shtml
  24. NewFileTime,"https://www.softwareok.com/?seite=Microsoft/NewFileTime"
  25. Bulk File Changer, "https://www.nirsoft.net/utils/bulk_file_changer.html"