Analysis of Timestamp Manipulation Detection Tools

Detalhes bibliográficos
Autor(a) principal: Santos, Luís Paulo Monteiro dos
Data de Publicação: 2024
Tipo de documento: Dissertação
Idioma: eng
Título da fonte: Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Texto Completo: http://hdl.handle.net/10400.8/10299
Resumo: Detecting timestamp manipulation on NTFS file systems has historically been challenging, with early tools producing unreliable results in real-world scenarios. Previous methods, as highlighted by Oh et al., often suffered from limitations such as generating false positives by misidentifying normal file system events as manipulation or being unable to detect intentional alterations in timestamps.Tools like NTFS Log Tracker v1.71 and TimestampAnalyser struggled to reliably identify such manipulations. However, recent advancements, such as the release of NTFS Log Tracker v1.9 in May 2024, have demonstrated improved accuracy. The updated tool, as detailed in “Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation,” integrates multiple forensic detection algorithms by leveraging the $MFT, $LogFile, and $UsnJrnl, along with additional system artifacts like Windows Prefetch and LNK files. These enhancements aim to more effectively detect timestamp manipulation in digital forensic investigations. This project explores these advancements and provides updated information about the file operations effects on NTFS timestamps.
id RCAP_d57dd4079ac18df86e454340eae75d48
oai_identifier_str oai:iconline.ipleiria.pt:10400.8/10299
network_acronym_str RCAP
network_name_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str https://opendoar.ac.uk/repository/7160
spelling Analysis of Timestamp Manipulation Detection ToolsInformática forenseSistema de ficheiros NTFSEmpresaAnálise digital forenseDetecting timestamp manipulation on NTFS file systems has historically been challenging, with early tools producing unreliable results in real-world scenarios. Previous methods, as highlighted by Oh et al., often suffered from limitations such as generating false positives by misidentifying normal file system events as manipulation or being unable to detect intentional alterations in timestamps.Tools like NTFS Log Tracker v1.71 and TimestampAnalyser struggled to reliably identify such manipulations. However, recent advancements, such as the release of NTFS Log Tracker v1.9 in May 2024, have demonstrated improved accuracy. The updated tool, as detailed in “Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation,” integrates multiple forensic detection algorithms by leveraging the $MFT, $LogFile, and $UsnJrnl, along with additional system artifacts like Windows Prefetch and LNK files. These enhancements aim to more effectively detect timestamp manipulation in digital forensic investigations. This project explores these advancements and provides updated information about the file operations effects on NTFS timestamps.Negrão, Miguel Cerdeira MarreirosDomingues, Patrício RodriguesFrade, Miguel Monteiro de SousaRepositório IC-OnlineSantos, Luís Paulo Monteiro dos2024-12-11T16:02:31Z2024-11-192024-11-19T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.8/10299urn:tid:203754344enginfo:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2025-02-25T15:20:20Zoai:iconline.ipleiria.pt:10400.8/10299Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-28T20:59:04.979180Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv Analysis of Timestamp Manipulation Detection Tools
title Analysis of Timestamp Manipulation Detection Tools
spellingShingle Analysis of Timestamp Manipulation Detection Tools
Santos, Luís Paulo Monteiro dos
Informática forense
Sistema de ficheiros NTFS
Empresa
Análise digital forense
title_short Analysis of Timestamp Manipulation Detection Tools
title_full Analysis of Timestamp Manipulation Detection Tools
title_fullStr Analysis of Timestamp Manipulation Detection Tools
title_full_unstemmed Analysis of Timestamp Manipulation Detection Tools
title_sort Analysis of Timestamp Manipulation Detection Tools
author Santos, Luís Paulo Monteiro dos
author_facet Santos, Luís Paulo Monteiro dos
author_role author
dc.contributor.none.fl_str_mv Negrão, Miguel Cerdeira Marreiros
Domingues, Patrício Rodrigues
Frade, Miguel Monteiro de Sousa
Repositório IC-Online
dc.contributor.author.fl_str_mv Santos, Luís Paulo Monteiro dos
dc.subject.por.fl_str_mv Informática forense
Sistema de ficheiros NTFS
Empresa
Análise digital forense
topic Informática forense
Sistema de ficheiros NTFS
Empresa
Análise digital forense
description Detecting timestamp manipulation on NTFS file systems has historically been challenging, with early tools producing unreliable results in real-world scenarios. Previous methods, as highlighted by Oh et al., often suffered from limitations such as generating false positives by misidentifying normal file system events as manipulation or being unable to detect intentional alterations in timestamps.Tools like NTFS Log Tracker v1.71 and TimestampAnalyser struggled to reliably identify such manipulations. However, recent advancements, such as the release of NTFS Log Tracker v1.9 in May 2024, have demonstrated improved accuracy. The updated tool, as detailed in “Forensic Detection of Timestamp Manipulation for Digital Forensic Investigation,” integrates multiple forensic detection algorithms by leveraging the $MFT, $LogFile, and $UsnJrnl, along with additional system artifacts like Windows Prefetch and LNK files. These enhancements aim to more effectively detect timestamp manipulation in digital forensic investigations. This project explores these advancements and provides updated information about the file operations effects on NTFS timestamps.
publishDate 2024
dc.date.none.fl_str_mv 2024-12-11T16:02:31Z
2024-11-19
2024-11-19T00:00:00Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10400.8/10299
urn:tid:203754344
url http://hdl.handle.net/10400.8/10299
identifier_str_mv urn:tid:203754344
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron:RCAAP
instname_str FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str RCAAP
institution RCAAP
reponame_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv info@rcaap.pt
_version_ 1833599009266073600

Registros relacionados