A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence
Additional contact information
Gyu-Sang Cho: Dongyang University, Youngju, Republic of Korea
International Journal of Digital Crime and Forensics (IJDCF), 2016, vol. 8, issue 3, 11-33
This paper proposes a new digital forensic method using a modified superincreasing sequence. Timestamp changes by file commands in Windows NTFS file system are used for identifying what commands were executed and are a useful and a logical way for performing digital forensics. A superincreasing sequence is modified for the timestamp change patterns to make each timestamp pattern have a distinct value. The method has two functions; one is a timestamp change check function and the other is a forensic evaluation function. The former checks differences of timestamps between before and after command execution, and the latter produces a characteristic output by applying ten kinds of timestamp change patterns. According to the characteristic output, the kind of command that is executed is identified. By virtue of adopting the modified superincreasing sequence, the evaluation function could produce distinct characteristic output values and thereby provides a way to reconstruct executed file commands.
References: Add references at CitEc
Citations: Track citations by RSS feed
Downloads: (external link)
http://services.igi-global.com/resolvedoi/resolve. ... 018/IJDCF.2016070102 (application/pdf)
This item may be available elsewhere in EconPapers: Search for items with the same title.
Export reference: BibTeX
RIS (EndNote, ProCite, RefMan)
Persistent link: https://EconPapers.repec.org/RePEc:igg:jdcf00:v:8:y:2016:i:3:p:11-33
Access Statistics for this article
More articles in International Journal of Digital Crime and Forensics (IJDCF) from IGI Global
Bibliographic data for series maintained by Journal Editor ().