A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence

View Sample PDF

Author(s): Gyu-Sang Cho (Dongyang University, Youngju, Republic of Korea)
Copyright: 2020
Pages: 30
Source title: Digital Forensics and Forensic Investigations: Breakthroughs in Research and Practice
Source Author(s)/Editor(s): Information Resources Management Association (USA)
DOI: 10.4018/978-1-7998-3025-2.ch030

Keywords: Criminal Science and Forensics / Digital Crime & Forensics / Information Science Reference / Security & Forensics

Purchase

View A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence on the publisher's website for pricing and purchasing information.

Abstract

This paper proposes a new digital forensic method using a modified superincreasing sequence. Timestamp changes by file commands in Windows NTFS file system are used for identifying what commands were executed and are a useful and a logical way for performing digital forensics. A superincreasing sequence is modified for the timestamp change patterns to make each timestamp pattern have a distinct value. The method has two functions; one is a timestamp change check function and the other is a forensic evaluation function. The former checks differences of timestamps between before and after command execution, and the latter produces a characteristic output by applying ten kinds of timestamp change patterns. According to the characteristic output, the kind of command that is executed is identified. By virtue of adopting the modified superincreasing sequence, the evaluation function could produce distinct characteristic output values and thereby provides a way to reconstruct executed file commands.

The IRMA Community

Research IRM

A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence

Purchase

Abstract

Related Content

IRMA Sponsors