A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence

This paper proposes a new digital forensic method using a modified superincreasing sequence. Timestamp changes by file commands in Windows NTFS file system are used for identifying what commands were executed and are a useful and a logical way for performing digital forensics. A superincreasing sequence is modified for the timestamp change patterns to make each timestamp pattern have a distinct value. The method has two functions; one is a timestamp change check function and the other is a forensic evaluation function. The former checks differences of timestamps between before and after command execution, and the latter produces a characteristic output by applying ten kinds of timestamp change patterns. According to the characteristic output, the kind of command that is executed is identified. By virtue of adopting the modified superincreasing sequence, the evaluation function could produce distinct characteristic output values and thereby provides a way to reconstruct executed file commands.

MoreLess

Year of publication:	2016
Authors:	Cho, Gyu-Sang
Published in:	International Journal of Digital Crime and Forensics (IJDCF). - IGI Global, ISSN 1941-6229, ZDB-ID 2703224-3. - Vol. 8.2016, 3 (01.07.), p. 11-33
Publisher:	IGI Global
Subject:	Digital Forensics \| Evaluation Function \| NTFS Filesystem \| Superincreasing Sequence \| Timestamp Change Pattern

Online Resource

Check full text access |

More access options

doi.org

Check Google Scholar

In libraries world-wide (WorldCat)

In German libraries (KVK)

subito order

I need help

More details

Type of publication:	Article
Language:	English
Other identifiers:	10.4018/IJDCF.2016070102 [DOI]
Source:	Other ZBW resources

Persistent link: https://www.econbiz.de/10012043925