More Web Proxy on the site http://driver.im/

research-article

Time for Truth: Forensic Analysis of NTFS Timestamps

Authors:

Michael Galhuber,

Robert LuhAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 44, Pages 1 - 10

https://doi.org/10.1145/3465481.3470016

Published: 17 August 2021 Publication History

Abstract

Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded.

In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.

Supplemental Material

ZIP File - a44-galhuber-supplements

Scripts and tables

Download
199.69 KB

References

[1]

Mamoun Alazab, Sitalakshmi Venkatraman, and Paul Watters. 2009. Effective digital forensic analysis of the NTFS disk image. Ubiquitous Computing and Communication Journal 4, 1 (2009), 551–558.

[2]

Jewan Bang, Byeongyeong Yoo, Jongsung Kim, and Sangjin Lee. 2009. Analysis of time information for digital investigation. (2009), 1858–1864.

[3]

Jewan Bang, Byeongyeong Yoo, and Sangjin Lee. 2011. Analysis of changes in file time attributes with file manipulation. digital investigation 7, 3-4 (2011), 135–144.

[4]

Martin Brinkmann. [n. d.]. How to edit timestamps with Windows PowerShell - gHacks Tech News. https://www.ghacks.net/2017/10/09/how-to-edit-timestamps-with-windows-powershell/ Accessed Nov. 11, 2020.

[5]

Brian Carrier. [n. d.]. The Sleuth Kit. https://sleuthkit.org/sleuthkit/ Accessed Nov. 11, 2020.

[6]

Brian Carrier. 2010. File System Forensic Analysis. Addison-Wesley Professional, 273–396.

Digital Library

[7]

Gyu-Sang Cho. 2013. A computer forensic method for detecting timestamp forgery in NTFS. Computers & Security 34(2013), 36–46.

Digital Library

[8]

G. S. Cho. 2014. An Intuitive Computer Forensic Method by Timestamp Changing Patterns. In 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. 542–548.

Digital Library

[9]

Gyu-Sang Cho. 2019. A Digital Forensic Analysis of Timestamp Change Tools for Windows NTFS. Journal of the Korea Society of Computer and Information 24, 9(2019), 51–58.

[10]

Kam-Pui Chow, Frank YW Law, Michael YK Kwan, and Pierre KY Lai. 2007. The rules of time on NTFS file system. In Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’07). IEEE, 71–85.

Digital Library

[11]

Xiaoqin Ding and Hengming Zou. 2011. Time Based Data Forensic and Cross-reference Analysis. In Proceedings of the 2011 ACM Symposium on Applied Computing(SAC ’11). ACM, New York, NY, USA, 185–190. https://doi.org/10.1145/1982185.1982227

Digital Library

[12]

Arman Gungor. [n. d.]. Date Forgery Analysis and Timestamp Resolution. https://www.meridiandiscovery.com/articles/date-forgery-analysis-timestamp-resolution Accessed Nov. 11, 2020.

[13]

Irnis Haliullin. [n. d.]. eXpress TimeStamp Toucher. http://www.irnis.net/soft/xtst/ Accessed Nov. 11, 2020.

[14]

Nenad Hrg. [n. d.]. NewFileTime 4.61 Corrections and manipulation of timestamp. http://www.softwareok.com/?seite=Microsoft/NewFileTime Accessed Nov. 11, 2020.

[15]

Hamid Jahankhani, Gianluigi Me, David Watson, and Frank Leonhardt. 2010. Handbook of Electronic Security and Digital Forensics. 417. https://doi.org/10.1142/7110

[16]

D. Jang, G. A. H. Hwang, and K. Kim. 2016. Understanding Anti-forensic Techniques with Timestamp Manipulation (Invited Paper). In 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI). 609–614. https://doi.org/10.1109/IRI.2016.94

Digital Library

[17]

Stefan Küng. [n. d.]. SKTimeStamp - Stefans Tools. https://tools.stefankueng.com/SKTimeStamp.html Accessed Nov. 11, 2020.

[18]

Rob Lee. 2019. Cyber Security Resources | SANS Institute. https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download Accessed Nov. 11, 2020.

[19]

Benjamin Lim. [n. d.]. GitHub - limbenjamin/nTimetools: Timestomper and Timestamp checker with nanosecond accuracy for NTFS volumes. https://github.com/limbenjamin/nTimetools Accessed Nov. 11, 2020.

[20]

Xiaodong Lin. 2018. Timeline Analysis. Springer International Publishing, Cham, 257–269. https://doi.org/10.1007/978-3-030-00581-8_12

[21]

Joachim Metz. [n. d.]. Timestomp - Forensics Wiki. https://forensicswiki.xyz/wiki/index.php?title=Timestomp Accessed Nov. 11, 2020.

[22]

Microsoft. 2009. NTFS Technical Reference. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc758691(v=ws.10) Accessed Feb. 02, 2021.

[23]

Microsoft. 2018. File Times. https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times Accessed Nov. 11, 2020.

[24]

Microsoft. 2018. SetFileTime function (fileapi.h). https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfiletime Accessed Nov. 11, 2020.

[25]

Wicher Minnaard, CTAM de Laat, and M van Loosen MSc. 2014. Timestomping NTFS. (2014). https://delaat.net/rp/2013-2014/p48/report.pdf

[26]

Sebastian Neuner, Artemios G Voyiatzis, Martin Schmiedecker, Stefan Brunthaler, Stefan Katzenbeisser, and Edgar R Weippl. 2016. Time is on my side: Steganography in filesystem metadata. Digital Investigation 18(2016), 76–86.

Digital Library

[27]

David Palmbach and Frank Breitinger. 2020. Artifacts for Detecting Timestamp Manipulation in NTFS on Windows and Their Reliability. Forensic Science International: Digital Investigation 32 (2020), 300920.

[28]

Joakim Schicht. [n. d.]. GitHub - jschicht/Mft2Csv: Extract $MFT record info and log it to a csv file.https://github.com/jschicht/Mft2Csv Accessed Nov. 11, 2020.

[29]

Joakim Schicht. 2019. GitHub - jschicht/SetMace: Manipulate timestamps on NTFS. https://github.com/jschicht/SetMace Accessed Nov. 11, 2020.

[30]

Nir Sofer. [n. d.]. BulkFileChanger: Change date/time/attributes of multiple files. http://www.nirsoft.net/utils/bulk_file_changer.html Accessed Nov. 11, 2020.

Cited By

Galhuber MLuh R(2024)Timestamp-based Application Fingerprinting in NTFSProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670890(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670890
Brudni SAnidgar SBrodt OMimran DShabtai AElovici Y(2024)Green Security: A Framework for Measurement and Optimization of Energy Consumption of Cybersecurity Solutions2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00043(676-696)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00043
Weyermann CVanini CSouvignet T(2024)A common framework to situate digital and physical traces in timeForensic Science International10.1016/j.forsciint.2024.112020360(112020)Online publication date: Jul-2024
https://doi.org/10.1016/j.forsciint.2024.112020
Show More Cited By

Index Terms

Time for Truth: Forensic Analysis of NTFS Timestamps

Index terms have been assigned to the content through auto-classification.

Recommendations

Reconstructing Timelines: From NTFS Timestamps to File Histories
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

File history facilitates the creation of a timeline of attributed events, which is crucial in digital forensics. Timestamps play an important role for determining what happened to a file. Previous studies into leveraging timestamps to determine file ...
A computer forensic method for detecting timestamp forgery in NTFS

In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we ...
Disk Cluster Allocation Behavior in Windows and NTFS
Abstract
The allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
316
Total Downloads

Downloads (Last 12 months)80
Downloads (Last 6 weeks)6

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Galhuber MLuh R(2024)Timestamp-based Application Fingerprinting in NTFSProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670890(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670890
Brudni SAnidgar SBrodt OMimran DShabtai AElovici Y(2024)Green Security: A Framework for Measurement and Optimization of Energy Consumption of Cybersecurity Solutions2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00043(676-696)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00043
Weyermann CVanini CSouvignet T(2024)A common framework to situate digital and physical traces in timeForensic Science International10.1016/j.forsciint.2024.112020360(112020)Online publication date: Jul-2024
https://doi.org/10.1016/j.forsciint.2024.112020
Studiawan H(2024)Event Abstration in a Forensic TimelineInformation and Communications Technologies10.1007/978-3-031-62624-1_10(119-129)Online publication date: 30-Jun-2024
https://doi.org/10.1007/978-3-031-62624-1_10

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents