Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS

Authors: 
Allan Hanbury
Allan Hanbury
Allan Hanbury
Allan Hanbury
Type: 
Speech with proceedings
Proceedings: 
Proceedings of ARES 2017 (ACM International Conference Proceedings Series)
Publisher: 
Pages: 
Year: 
2017
ISBN: 
Abstract: 
Redundant capacity in filesystem timestamps is recently proposed<br> in the literature as an effective means for information hiding and<br> data leakage.<br> Here, we evaluate the steganographic capabilities of such chan-<br> nels and propose techniques to aid digital forensics investigation<br> towards identifying and detecting manipulated filesystem times-<br> tamps.<br> Our findings indicate that different storage media and interfaces<br> exhibit different timestamp creation patterns. Such differences<br> can be utilized to characterize file source media and increase the<br> analysis capabilities of the incident response process.
TU Focus: 
Information and Communication Technology
Reference: 

S. Neuner, A. Voyiatzis, M Schmiedecker, E. Weippl:
"Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS";
Vortrag: 12th International Conference on Availability, Reliability and Security (ARES 2017), Reggio Calabria, Italy; 29.08.2017 - 01.09.2017; in: "Proceedings of ARES 2017 (ACM International Conference Proceedings Series)", (2017).

Zusätzliche Informationen

Last changed: 
01.09.2017 15:52:08
Accepted: 
Accepted
TU Id: 
261036
Invited: 
Department Focus: 
Business Informatics
Author List: 
S. Neuner, A. Voyiatzis, M Schmiedecker, E. Weippl
Abstract German: