Analysis of Timestamp Manipulation Detection Tools

Santos, Luís Paulo Monteiro dos

http://hdl.handle.net/10400.8/10299

Use this identifier to reference this record.

Name:	Description:	Size:	Format:
relatorio_assinado.pdf		2.66 MB	Adobe PDF	Download

Send Feedback

Authors

Santos, Luís Paulo Monteiro dos

Advisor(s)

Negrão, Miguel Cerdeira Marreiros

Domingues, Patrício Rodrigues

Frade, Miguel Monteiro de Sousa

Abstract(s)

Detecting timestamp manipulation on NTFS file systems has historically been challenging, with early tools producing unreliable results in real-world scenarios. Previous methods, as highlighted by Oh et al., often suffered from limitations such as generating false positives by misidentifying normal file system events as manipulation or being unable to detect intentional alterations in timestamps.Tools like NTFS Log Tracker v1.71 and TimestampAnalyser struggled to reliably identify such manipulations. However, recent advancements, such as the release of NTFS Log Tracker v1.9 in May 2024, have demonstrated improved accuracy. The updated tool, as detailed in “Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation,” integrates multiple forensic detection algorithms by leveraging the $MFT, $LogFile, and $UsnJrnl, along with additional system artifacts like Windows Prefetch and LNK files. These enhancements aim to more effectively detect timestamp manipulation in digital forensic investigations. This project explores these advancements and provides updated information about the file operations effects on NTFS timestamps.