Skip to Main content Skip to Navigation
Conference papers

Analyzing Windows Subsystem for Linux Metadata to Detect Timestamp Forgery

Abstract : Timestamp patterns assist forensic analysts in detecting user activities, especially operations performed on files and folders. However, the Windows Subsystem for Linux feature in Windows 10 versions 1607 and later enables users to access and manipulate NTFS files using Linux command-line tools within the Bash shell. Therefore, forensic analysts should consider the timestamp patterns generated by file operations performed using Windows command-line utilities and Linux tools within the Bash shell.This chapter describes the identification of timestamp patterns of various file operations in stand-alone NTFS and Ext4 filesystems as well as file interactions between the filesystems. Experiments are performed to analyze the anti-forensic capabilities of file timestamp changing utilities – called timestomping tools – on NTFS and Ext4 filesystems. The forensic implications of timestamp patterns and timestomping are also discussed.
Document type :
Conference papers
Complete list of metadata

Cited literature [20 references]  Display  Hide  Download
Contributor : Hal Ifip <>
Submitted on : Tuesday, April 7, 2020 - 10:37:23 AM
Last modification on : Tuesday, April 7, 2020 - 10:42:36 AM


 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2022-01-01

Please log in to resquest access to the document


Distributed under a Creative Commons Attribution 4.0 International License



Bhupendra Singh, Gaurav Gupta. Analyzing Windows Subsystem for Linux Metadata to Detect Timestamp Forgery. 15th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2019, Orlando, FL, United States. pp.159-182, ⟨10.1007/978-3-030-28752-8_9⟩. ⟨hal-02534606⟩



Record views