Timestamp Hiccups: Detecting Manipulated Filesystem Timestamps on NTFS
| Title | Timestamp Hiccups: Detecting Manipulated Filesystem Timestamps on NTFS |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Neuner, Sebastian, Voyiatzis, Artemios G., Schmiedecker, Martin, Weippl, Edgar R. |
| Conference Name | Proceedings of the 12th International Conference on Availability, Reliability and Security |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-5257-4 |
| Keywords | composability, digital forensics, filesystem, information leakage, Information security, Metrics, NTFS, privacy, pubcrawl, steganography, steganography detection |
| Abstract | Redundant capacity in filesystem timestamps is recently proposed in the literature as an effective means for information hiding and data leakage. Here, we evaluate the steganographic capabilities of such channels and propose techniques to aid digital forensics investigation towards identifying and detecting manipulated filesystem timestamps. Our findings indicate that different storage media and interfaces exhibit different timestamp creation patterns. Such differences can be utilized to characterize file source media and increase the analysis capabilities of the incident response process. |
| URL | https://dl.acm.org/citation.cfm?doid=3098954.3098994 |
| DOI | 10.1145/3098954.3098994 |
| Citation Key | neuner_timestamp_2017 |