Article Preview
TopIntroduction
Timestamp evidence is a fundamental component of many forensic computing examinations to reconstruct events, and the determination of event times is an important and difficult task in computer forensics. Numerous studies on the timestamps of file systems have been reported. Casey (2002) indicated that a MAC time analysis is necessary for the reconstruction of digital events. MAC timestamps record a file’s most recent modification, access, and creation times. By reconstructing this information on a timeline, forensic investigators can find filesystem activity and computer usage of a particular time. An investigator can also draw a historical plot of filesystem activity per time period (Grier, 2011). Boyd and Forster discussed time structure and its use in Microsoft Internet Explorer with local and UTC time translation issues (Boyd & Forster, 2004). Chow et al. presented behavioral characteristics of MAC times on an NTFS file system so that a validation basis for a temporal analysis of event reconstruction models can be formulated (Chow et al., 2007). Stevens introduced a clock model that can account for the various factors that affect the behavior of digital clocks such as those used in computers and other digital electronic devices (Stevens, 2004). Willassen presented a hypothesis-based investigation method to solve the problems of timestamp manipulation and a clock that is erroneous or improperly adjusted (Willassen, 2008).
J. Olsson and M. Boldt (2009) developed a computer forensic timeline visualization tool that provides a way to visualize evidence and allows investigators to find related evidence in a fast and intuitive manner. C. Hargreaves and J. Patterson (2012) proposed a technique that can automatically reconstruct high-level events from set of low-level events, analyzing patterns automatically. They described a framework that extracts low-level events to a SQLite backing store; the provenance of any high-level events is also preserved and the raw data that caused the low-level event to be initially created can also be viewed.
Recently, Cho (2013) proposed a method for detecting timestamp forgery in an NTFS filesystem. Log records that operate on files leave large amounts of information in the $LogFile that is used to reconstruct operations on the files and is also used as forensic evidence. If the past timestamps can be found before any changes to the file are made, this could act as evidence of a file time forgery. Rule sets for detecting a timestamp forgery based on using a difference comparison between changes in timestamp patterns by the file time change tool and normal file commands is provided, and the forensic rule sets of .txt”, “.docx”, and “.pdf” file types are applied for detecting timestamp forgery cases.
Digital forensic research on file systems other than NTFS has also been reported. Kevin D. Fairbanks (2012) presented a research paper on a low-level study and analysis of Ext4 file system data structures. The paper provided a more comprehensive analysis of the file system behavior with respect to data recovery. Ming Xu et al. presented experimental results under a Linux operating system demonstrating that the proposed method can correctly reconstruct the file system and recover file and file traces from YAFFS2; experiments conducted on physical images of Android phones show that this method can be applied to real scenarios (Xu et.al, 2013). A. Marrington et al. developed a tool that implements techniques for detecting contradictory and missing events in the history of the computer system. Experiments with this software demonstrated that the proposed techniques can be used successfully (Marrington et al., 2011).