Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS

Redundant capacity in filesystem timestamps is recently proposed in the literature as an effective means for information hiding and data leakage. Here, we evaluate the steganographic capabilities of such channels and propose techniques to aid digital forensics investigation towards identifying and detecting manipulated filesystem timestamps. Our findings indicate that different storage media and interfaces exhibit different timestamp creation patterns. Such differences can be utilized to characterize file source media and increase the analysis capabilities of the incident response process.

[1]  Hengming Zou,et al.  Time based data forensic and cross-reference analysis , 2011, SAC.

[2]  Fauzan Mirza,et al.  Designing a cluster-based covert channel to evade disk investigation and forensics , 2011, Comput. Secur..

[3]  Stefan Katzenbeisser,et al.  Time is on my side: Steganography in filesystem metadata , 2016, Digit. Investig..

[4]  Adi Shamir,et al.  The Steganographic File System , 1998, Information Hiding.

[5]  Wojciech Mazurczyk,et al.  Trends in steganography , 2014, Commun. ACM.

[6]  K. P. Chow,et al.  The Rules of Time on NTFS File System , 2007, Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'07).