Abstract
File history facilitates the creation of a timeline of attributed events, which is crucial in digital forensics. Timestamps play an important role for determining what happened to a file. Previous studies into leveraging timestamps to determine file history focused on identification of the last operation applied to a file. In contrast, in this paper, we determine all possible file histories given a file’s current NTFS timestamps. That is, we infer all possible sequences of file system operations which culminate in the file’s current NTFS timestamps. This results in a tree of timelines, with root node the current file state. Our method accounts for various forms of timestamp forgery. We provide an implementation of this method that depicts possible histories graphically.
Original language | English |
---|---|
Title of host publication | ARES '23 |
Subtitle of host publication | Proceedings of the 18th International Conference on Availability, Reliability and Security |
Place of Publication | New York |
Publisher | Association for Computing Machinery (ACM) |
Number of pages | 9 |
ISBN (Print) | 979-8-4007-0772-8 |
DOIs | |
Publication status | Published - 29 Aug 2023 |
Event | 18th International Conference on Availability, Reliability and Security - Benevento, Italy Duration: 29 Aug 2023 → 1 Sept 2023 Conference number: 18 |
Conference
Conference | 18th International Conference on Availability, Reliability and Security |
---|---|
Abbreviated title | ARES '23 |
Country/Territory | Italy |
City | Benevento |
Period | 29/08/23 → 1/09/23 |
Keywords
- Digital forensics
- File history
- Timelines
- Timestamps
Fingerprint
Dive into the research topics of 'Reconstructing Timelines: From NTFS Timestamps to File Histories'. Together they form a unique fingerprint.Prizes
-
Best paper award
Jonker, H. (Recipient) & van der Meer, V. (Recipient), 2023
Prize: Prize (including medals and awards) › Academic