Reconstructing Timelines: From NTFS Timestamps to File Histories

Jelle Bouma, H.L. Jonker, Vincent van der Meer, Eddy van den Aker

Research output: Chapter in Book/Report/Conference proceedingConference Article in proceedingAcademicpeer-review

Abstract

File history facilitates the creation of a timeline of attributed events, which is crucial in digital forensics. Timestamps play an important role for determining what happened to a file. Previous studies into leveraging timestamps to determine file history focused on identification of the last operation applied to a file. In contrast, in this paper, we determine all possible file histories given a file’s current NTFS timestamps. That is, we infer all possible sequences of file system operations which culminate in the file’s current NTFS timestamps. This results in a tree of timelines, with root node the current file state. Our method accounts for various forms of timestamp forgery. We provide an implementation of this method that depicts possible histories graphically.
Original languageEnglish
Title of host publicationARES '23
Subtitle of host publicationProceedings of the 18th International Conference on Availability, Reliability and Security
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Number of pages9
ISBN (Print)979-8-4007-0772-8
DOIs
Publication statusPublished - 29 Aug 2023
Event18th International Conference on Availability, Reliability and Security - Benevento, Italy
Duration: 29 Aug 20231 Sept 2023
Conference number: 18

Conference

Conference18th International Conference on Availability, Reliability and Security
Abbreviated titleARES '23
Country/TerritoryItaly
CityBenevento
Period29/08/231/09/23

Keywords

  • Digital forensics
  • File history
  • Timelines
  • Timestamps

Fingerprint

Dive into the research topics of 'Reconstructing Timelines: From NTFS Timestamps to File Histories'. Together they form a unique fingerprint.

Cite this