Analysis of changes in file time attributes with file manipulation

作者: Jewan Bang , Byeongyeong Yoo , Sangjin Lee

DOI: 10.1016/J.DIIN.2010.12.001

关键词: File systemDatabaseUnix file typesFile system fragmentationComputer fileComputer scienceFile Control BlockVersioning file systemFork (file system)Stub file

摘要: Time information is an important factor in digital forensic investigations. The time of files obtained under the New Technology File System (NTFS) for Windows determined by creation, modification, access, and master file table (MFT) entry modification times can be changed user manipulations such as copy, move, change. characteristics changes attributes used to analyze certain behaviors related data transfer modification. This study analyzes change or folders resulting from different operating systems deduces through a procedure based on analysis results.

参考文章(6)
Brian Carrier, File system forensic analysis ,(2005)
Bradley Schatz, George Mohay, Andrew Clark, A correlation method for establishing provenance of timestamps in digital evidence Digital Investigation. ,vol. 3, pp. 98- 107 ,(2006) , 10.1016/J.DIIN.2006.06.009
Chris Boyd, Pete Forster, Time and date issues in forensic computing-a case study Digital Investigation. ,vol. 1, pp. 18- 23 ,(2004) , 10.1016/J.DIIN.2004.01.002
K.P. Chow, Frank Y.W. Law, Michael Y.K. Kwan, Pierre K.Y. Lai, The Rules of Time on NTFS File System Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'07). pp. 71- 85 ,(2007) , 10.1109/SADFE.2007.22
Jewan Bang, Byeongyeong Yoo, Jongsung Kim, Sangjin Lee, Analysis of Time Information for Digital Investigation 2009 Fifth International Joint Conference on INC, IMS and IDC. pp. 1858- 1864 ,(2009) , 10.1109/NCM.2009.258
Matthew Geiger, Evaluating Commercial Counter-Forensic Tools digital forensic research workshop. ,(2005)