Artifacts for Detecting Timestamp Manipulation in NTFS on Windows and Their Reliability

Details

Serval ID
serval:BIB_D1DC7D81DF4F
Type
Article: article from journal or magazin.
Collection
Publications
Title
Artifacts for Detecting Timestamp Manipulation in NTFS on Windows and Their Reliability
Journal
Forensic Science International: Digital Investigation
Author(s)
Palmbach David, Breitinger Frank
ISSN
2666-2817
Publication state
Published
Issued date
04/2020
Volume
32
Pages
300920
Language
english
Abstract
Timestamps have proven to be an expedient source of evidence for examiners in the reconstruction of computer crimes. Consequently, active adversaries and malware have implemented timestomping techniques (i.e., mechanisms to alter timestamps) to hide their traces. Previous research on detecting timestamp manipulation primarily focused on two artifacts: the $MFT as well as the records in the $LogFile. In this paper, we present a new use of four existing windows artifacts -- the $USNjrnl, link files, prefetch files, and Windows event logs -- that can provide valuable information during investigations and diversify the artifacts available to examiners. These artifacts contain either information about executed programs or additional timestamps which, when inconsistencies occur, can be used to prove timestamp forgery. Furthermore, we examine the reliability of artifacts being used to detect timestamp manipulation, i.e., testing their ability to retain information against users actively trying to alter or delete them. Based on our findings we conclude that none of the artifacts analyzed can withstand active exploitation.
Keywords
Timestamp manipulation, Forgery, $Logfile, $USNJrnl, SetMACE, nTimestomp, Timestomping, Anti-forensics
Web of science
Open Access
Yes
Create date
06/05/2021 11:01
Last modification date
06/05/2021 11:43
Usage data