Journal of Internet of Things and Convergence (사물인터넷융복합논문지)

The Korea Internet of Things Society (한국사물인터넷학회)
권호 표지
DOI QR코드

DOI QR Code

A Design of Timestamp Manipulation Detection Method using Storage Performance in NTFS

NTFS에서 저장장치 성능을 활용한 타임스탬프 변조 탐지 기법 설계

  • Jong-Hwa Song (Department of Forensic Sciences, Sungkyunkwan University) ;
  • Hyun-Seob Lee (Division of Computer Engineering, Baekseok University)
  • 송종화 (성균관대학교 과학수사학과) ;
  • 이현섭 (백석대학교 컴퓨터공학부)
  • Received : 2023.10.12
  • Accepted : 2023.12.14
  • Published : 2023.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Windows operating system generates various logs with timestamps. Timestamp tampering is an act of anti-forensics in which a suspect manipulates the timestamps of data related to a crime to conceal traces, making it difficult for analysts to reconstruct the situation of the incident. This can delay investigations or lead to the failure of obtaining crucial digital evidence. Therefore, various techniques have been developed to detect timestamp tampering. However, there is a limitation in detection if a suspect is aware of timestamp patterns and manipulates timestamps skillfully or alters system artifacts used in timestamp tampering detection. In this paper, a method is designed to detect changes in timestamps, even if a suspect alters the timestamp of a file on a storage device, it is challenging to do so with precision beyond millisecond order. In the proposed detection method, the first step involves verifying the timestamp of a file suspected of tampering to determine its write time. Subsequently, the confirmed time is compared with the file size recorded within that time, taking into consideration the performance of the storage device. Finally, the total capacity of files written at a specific time is calculated, and this is compared with the maximum input and output performance of the storage device to detect any potential file tampering.

Windows 운영체제는 다양한 데이터를 타임스탬프와 함께 로깅한다. 타임스탬프 변조는 안티포렌식의 한 행위로 용의자가 범행과 관련된 데이터의 타임스탬프 조작을 통해 흔적을 숨겨 분석관이 사건의 상황 재현을 어렵게 하여 수사를 지연시키거나 중요한 디지털 증거 획득을 실패하게 만든다. 따라서 이를 대처하기 위해 타임스탬프 변조를 탐지하는 여러 기법이 개발되었다. 그러나 만일 용의자가 타임스탬프 패턴을 인지하고 정교하게 시간을 조작하거나 변조 탐지에 활용되는 시스템 아티팩트를 변경한다면 탐지가 어렵다는 한계점을 가지고 있다. 본 논문에서는 용의자가 파일의 타임스탬프를 조작하더라도 저장장치의 속도에 비례하여 1초 미만의 단위값까지를 고려한 정교한 변경이 어려움에 착안하여, 타임스탬프 변조를 탐지할 수 있는 기법을 설계하고자 한다. 설계한 탐지 기법에서는 우선 변조가 의심스러운 파일의 타임스탬프를 확인하여 해당 파일의 쓰기시간을 확인한다. 그다음 확인된 시간을 저장장치의 성능을 고려하여 시간 내에 기록된 파일 크기와 대조한다. 마지막으로 특정 시간에 파일이 쓰인 총용량을 구하고 저장장치의 최대 입출력 성능과 비교하여 파일의 변조 여부를 탐지한다.

Keywords

Acknowledgement

본 논문은 2023년도 교육부의 재원으로 한국연구재단의 지원을 받아 수행된 기초연구사업(NRF2021R1I1A3061020)과 지자체-대학 협력기반 지역혁신 사업(2021RIS-004)의 결과입니다.

References

  1. K.G.Lee, S.J.Hwang, C.H.Lee and S.J.Lee, "Study on advanced analysis method based on timeline chart for Digital Forensic Investigation," Journal of Advanced Navigation Technology, Vol.18, pp.50-55, 2014. https://doi.org/10.12673/jkoni.2014.18.1.50
  2. J.W.Bang, B.Y.Yoo and S.J.Lee, "Analysis of changes in file time attributes with file manipulation," Digital Investigation, Vol.7, No.3, pp.135-144, 2011. https://doi.org/10.1016/j.diin.2010.12.001
  3. G.S.Cho, "A computer forensic method for detecting timestamp forgery in NTFS," Computers & Security, Vol.34, pp.36-46, 2013. https://doi.org/10.1016/j.cose.2012.11.003
  4. G.S.Cho, "A Digital Forensic Method by an Evaluation Function Based on Timestamp Changing Patterns," Journal of the Korea Society of Digital Industry and Information Management, Vol.10, No.2, pp.91-105, 2014. https://doi.org/10.17662/KSDIM.2014.10.2.091
  5. D.I.Jang, G.J.Ahn, H.U.Hwang and K.B.Kim, "Understanding Anti-forensic Techniques with Timestamp Manipulation," 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI), pp.609-614, 2016.
  6. H.J.Yoon, "A study on user behavior tracking using $UsnJrnl," Master's Thesis, Seoul University, 2018.
  7. J.H.Jeong, "A study on document reading and writing traces through NTFS file system journal file analysis," Master's Thesis, Seoul University, 2022.
  8. J.Bouma, H.Jonker, V.Meer and E.Aker, "Reconstructing Timelines: From NTFS Timestamps to File Histories," ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security, No.154, pp.1-9, 2023.
  9. D.Palmbach and F.Breitinger, "Artifacts for Detecting Timestamp Manipulation in NTFS on Windows and Their Reliability," Forensic Science International: Digital Investigation, Vol.32, Supplement. pp.S1-S9, 2020. https://doi.org/10.1016/j.fsidi.2020.300920
  10. A.Mohamed and C.Khalid, "Detection of Suspicious Timestamps in NTFS using Volume Shadow Copies," International Journal of Computer Network and Information Security, Vol.13, Issue4, pp.62-69, 2021. https://doi.org/10.5815/ijcnis.2021.04.06
  11. M.Galhuber and R.Luh, "Time for Truth: Forensic Analysis of NTFS Timestamps," ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security, No.44, pp.1-10, 2021.
  12. G.S.Cho, "A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS," Journal of The Korea Society of Computer and Information, Vol.24, No.9, pp.51-58, 2019. https://doi.org/10.9708/JKSCI.2019.24.09.051
  13. S.H.Lee, Y.H.Lee and S.J.Lee, "A study on the Evidence Investigation of Forged/Modulated Time-Stamp at iOS(iPhone, iPad)," KIPS Transactions on Computer and Communication Systems, Vol.5, No.7, pp.173-180, 2016. https://doi.org/10.3745/KTCCS.2016.5.7.173
  14. J.H.Han and S.J.Lee, "A Study on the Processing of Timestamps in the Creation of Multimedia Files on Mobile Devices," Journal of Information Processing Systems, Vol.18, No.3, pp.402-410, 2022. https://doi.org/10.3745/JIPS.04.0245
  15. A.Mohamed and C.Khalid, "Detection of Timestamps Tampering in NTFS using Machine Learning," Procedia Computer Science, Vol.160, pp.778-784, 2019. https://doi.org/10.1016/j.procs.2019.11.011
  16. S.Neuner, A.G.Voyiatzis, M.Schmiedecker, S.Brunthaler, S.Katzenbeisser and E.R.Weippl, "Time is on my side: Steganography in filesystem metadata," Digital Investigation, Vol.18, Supplement7, pp.76-86, 2016. https://doi.org/10.1016/j.diin.2016.04.010
  17. G.S.Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics," International Journal of Internet, Broadcasting and Communication, Vol.8, No.3, pp.31-40, 2016. https://doi.org/10.7236/IJIBC.2016.8.3.31