File System Forensic Analysis
Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
Windows Forensics and Incident Recovery (The Addison-Wesley Microsoft Technology Series)
Windows Forensics and Incident Recovery (The Addison-Wesley Microsoft Technology Series)
The Rules of Time on NTFS File System
SADFE '07 Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering
Windows Forensic Analysis DVD Toolkit
Windows Forensic Analysis DVD Toolkit
Anti-forensics with a small army of exploits
Digital Investigation: The International Journal of Digital Forensics & Incident Response
On the role of file system metadata in digital forensics
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Time and date issues in forensic computing-a case study
Digital Investigation: The International Journal of Digital Forensics & Incident Response
The Windows Registry as a forensic resource
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
Data forensics is becoming increasingly important as computer related crimes intensify. In forensic investigations, temporal evidence plays a crucial role. However, the inherent volatility of time information and the tampering of such information through anti-forensic techniques have significantly lowered the reliability of temporal evidences, and posed great challenges to simple time-based forensics. To overcome this problem, this paper proposes a cross-reference time-based forensics approach for NTFS by analyzing both the discrepancies and similarities among various temporal evidences associated with file metadata and the registry. Experiment results show that our approach can reliably identify certain intrusion activities such as malicious access, modification, copy and tampering of timestamps. Some thought about dealing with anti-forensics is also provided in our analysis.