Analyzing Windows Subsystem for Linux Metadata to Detect Timestamp Forgery - Archive ouverte HAL Access content directly
Conference Papers Year : 2019

Analyzing Windows Subsystem for Linux Metadata to Detect Timestamp Forgery

(1) , (2)
1
2

Abstract

Timestamp patterns assist forensic analysts in detecting user activities, especially operations performed on files and folders. However, the Windows Subsystem for Linux feature in Windows 10 versions 1607 and later enables users to access and manipulate NTFS files using Linux command-line tools within the Bash shell. Therefore, forensic analysts should consider the timestamp patterns generated by file operations performed using Windows command-line utilities and Linux tools within the Bash shell.This chapter describes the identification of timestamp patterns of various file operations in stand-alone NTFS and Ext4 filesystems as well as file interactions between the filesystems. Experiments are performed to analyze the anti-forensic capabilities of file timestamp changing utilities – called timestomping tools – on NTFS and Ext4 filesystems. The forensic implications of timestamp patterns and timestomping are also discussed.
Fichier principal
Vignette du fichier
488399_1_En_9_Chapter.pdf (176.52 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-02534606 , version 1 (07-04-2020)

Licence

Attribution - CC BY 4.0

Identifiers

Cite

Bhupendra Singh, Gaurav Gupta. Analyzing Windows Subsystem for Linux Metadata to Detect Timestamp Forgery. 15th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2019, Orlando, FL, United States. pp.159-182, ⟨10.1007/978-3-030-28752-8_9⟩. ⟨hal-02534606⟩
46 View
67 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More