Detection of Suspicious Timestamps in NTFS using Volume Shadow Copies

Full Text (PDF, 212KB), PP.62-69

Views: 0 Downloads: 0

Author(s)

ALJI Mohamed 1,* CHOUGDALI Khalid 1

1. Engineering Science Laboratory, National School for Applied Sciences, Ibn Tofail University, Kenitra, Morocco

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2021.04.06

Received: 28 Feb. 2021 / Revised: 17 Apr. 2021 / Accepted: 23 May 2021 / Published: 8 Aug. 2021

Index Terms

Timestamp Manipulation, MACB Tampering, Time Forgery, Inter-snapshot Analysis, Volume Shadow Copy

Abstract

When a computer gets involved in a crime, it is the mission of the digital forensic experts to extract the left binary artifacts on that device. Among those artifacts, there may be some volume shadow copy files left on the Windows operating system. Those files are snapshots of the volume recorded by the system in case of a needed restore to a specific past date. Before this study, we did not know if the valuable forensic information hold within those snapshot files can be exploited to locate suspicious timestamps in an NTFS formatted partition. This study provides the reader with an inter-snapshot time analysis for detecting file system timestamp manipulation. In other words, we will leverage the presence of the time information within multiples volume shadow copies to detect any suspicious tampering of the file system timestamps. A detection algorithm of the suspicious timestamps is contributed. Its main role is to assist the digital investigator to spot the manipulation if it has occurred. In addition, a virtual environment has been set up to validate the use of the proposed algorithm for the detection.

Cite This Paper

ALJI Mohamed, CHOUGDALI Khalid, "Detection of Suspicious Timestamps in NTFS using Volume Shadow Copies", International Journal of Computer Network and Information Security(IJCNIS), Vol.13, No.4, pp.62-69, 2021. DOI: 10.5815/ijcnis.2021.04.06

Reference

[1] Shuaibur Rahman, M. N. A. Khan,"Digital Forensics through Application Behavior Analysis", International Journal of Modern Education and Computer Science, Vol.8, No.6, pp.50-56, 2016.

[2] T. Raja Sree, S. Mary Saira Bhanu," Investigation of Application Layer DDoS Attacks Using Clustering Techniques", International Journal of Wireless and Microwave Technologies, Vol.8, No.3, pp.1-13, 2018.

[3] Dhwaniket Ramesh Kamble, Nilakshi Jain, Swati Deshpande,"Cybercrimes Solutions using Digital Forensic Tools", International Journal of Wireless and Microwave Technologies, vol.5, no.6, pp.11-18, 2015.

[4] Chow, K.-P., Law, F. Y., Kwan, M. Y., & Lai, P. K. (2007). The rules of time on ntfs file system. In Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’07), pages 71–85. IEEE, DOI: 10.1109/SADFE.2007.22.

[5] Minnaard, W., de Laat, C., & van Loosen MSc, M. (2014). Timestomping ntfs https://delaat.net/rp/2013-2014/p48/report.pdf last accessed: 20/02/2021

[6] Documentation online, Microsoft (2018a). Master file table (online) https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table last accessed: 20/02/2021.

[7] Carrier, B. (2005).File system forensic analysis. Addison-Wesley Professional.

[8] Documentation online, Microsoft (2018b). File times (online) https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times Last accessed: 20/02/2021.

[9] Neuner, S. & all (2016). Time is on my side: Steganography in filesystem metadata.Digital Investigation, 18:S76 – S86, DOI: 10.1016/j.diin.2016.04.010.

[10] Carvey, H. (2014). In Carvey, H., editor,Windows Forensic Analysis Toolkit (Fourth Edition). Syngress, Boston, fourth edition edition.

[11] Sreeja, S. C. & Balan, C. (2016). Forensic analysis of volume shadow copy in windows 7. In2016 International Conference on EmergingTechnological Trends (ICETT), pages 1–6, DOI:10.1109/ICETT.2016.7873670.

[12] Jang, D.-i., Hwang, G.-J. A. H., & Kim, K. (2016). Understanding anti-forensic techniques with timestamp manipulation. In2016 IEEE17th International Conference on Information Reuse and Integration (IRI), pages 609–614. IEEE, DOI: 10.1109/IRI.2016.94.

[13] MITRE A. (2017). Win32/usb stealer, https://attack.mitre.org/software/S0136/ (online) last accessed: 20/02/2021.

[14] Gungor, A. (2014). Date forgery analysis and timestamp resolution. (online) https://www.meridiandiscovery.com/articles/date-forgery-analysis-timestamp-resolution/ last accessed: 20/02/2021.

[15] Alji, M., & Chougdali, K. (2019). Detection of Timestamps Tampering in NTFS using Machine Learning. Procedia Computer Science, 160, 778-784, DOI: 10.1016/j.procs.2019.11.011.

[16] Garfinkel, S., Farrell, P., Roussev, V., & Dinolt, G. (2009). Bringing science to digital forensics with standardized forensic corpora.digital investigation, 6:S2–S11, DOI: 10.1016/j.diin.2009.06.016.

[17] Cho, G.-S. (2013). A computer forensic method for detecting timestamp forgery in ntfs.Comput. Secur., 34:36–46. DOI:10.1016/j.cose.2012.11.003.