Research Area:  Digital Forensics
Data forensics is becoming increasingly important as computer related crimes intensify. In forensic investigations, temporal evidence plays a crucial role. However, the inherent volatility of time information and the tampering of such information through anti-forensic techniques have significantly lowered the reliability of temporal evidences, and posed great challenges to simple time-based forensics. To overcome this problem, this paper proposes a cross-reference time-based forensics approach for NTFS by analyzing both the discrepancies and similarities among various temporal evidences associated with file metadata and the registry. Experiment results show that our approach can reliably identify certain intrusion activities such as malicious access, modification, copy and tampering of timestamps. Some thought about dealing with anti-forensics is also provided in our analysis.
Keywords:  
Author(s) Name:  Xiaoqin Ding,Hengming Zou
Journal name:  SAC -11: Proceedings of the 2011 ACM Symposium on Applied Computing
Conferrence name:  
Publisher name:  ACM
DOI:  10.1145/1982185.1982227
Volume Information:  Pages 185–190
Paper Link:   https://dl.acm.org/doi/abs/10.1145/1982185.1982227