Analysis of time information for digital investigation

Jewan Bang, Byeongyeong Yoo, Jongsung Kim, Sangjin Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.

Original languageEnglish
Title of host publicationNCM 2009 - 5th International Joint Conference on INC, IMS, and IDC
Pages1858-1864
Number of pages7
DOIs
Publication statusPublished - 2009 Dec 1
EventNCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications - Seoul, Korea, Republic of
Duration: 2009 Aug 252009 Aug 27

Other

OtherNCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications
CountryKorea, Republic of
CitySeoul
Period09/8/2509/8/27

Fingerprint

Computer systems
Digital forensics

Keywords

  • Digital investigation
  • File system
  • Time
  • Windows

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design
  • Computer Science Applications
  • Software

Cite this

Bang, J., Yoo, B., Kim, J., & Lee, S. (2009). Analysis of time information for digital investigation. In NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC (pp. 1858-1864). [5331448] https://doi.org/10.1109/NCM.2009.258

Analysis of time information for digital investigation. / Bang, Jewan; Yoo, Byeongyeong; Kim, Jongsung; Lee, Sangjin.

NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC. 2009. p. 1858-1864 5331448.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bang, J, Yoo, B, Kim, J & Lee, S 2009, Analysis of time information for digital investigation. in NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC., 5331448, pp. 1858-1864, NCM 2009 - 5th International Joint Conference on Int. Conf. on Networked Computing, Int. Conf. on Advanced Information Management and Service, and Int. Conf. on Digital Content, Multimedia Technology and its Applications, Seoul, Korea, Republic of, 09/8/25. https://doi.org/10.1109/NCM.2009.258
Bang J, Yoo B, Kim J, Lee S. Analysis of time information for digital investigation. In NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC. 2009. p. 1858-1864. 5331448 https://doi.org/10.1109/NCM.2009.258
Bang, Jewan ; Yoo, Byeongyeong ; Kim, Jongsung ; Lee, Sangjin. / Analysis of time information for digital investigation. NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC. 2009. pp. 1858-1864
@inproceedings{53d4866866a643c29dae3731f31c3d7e,
title = "Analysis of time information for digital investigation",
abstract = "In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.",
keywords = "Digital investigation, File system, Time, Windows",
author = "Jewan Bang and Byeongyeong Yoo and Jongsung Kim and Sangjin Lee",
year = "2009",
month = "12",
day = "1",
doi = "10.1109/NCM.2009.258",
language = "English",
isbn = "9780769537696",
pages = "1858--1864",
booktitle = "NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC",

}

TY - GEN

T1 - Analysis of time information for digital investigation

AU - Bang, Jewan

AU - Yoo, Byeongyeong

AU - Kim, Jongsung

AU - Lee, Sangjin

PY - 2009/12/1

Y1 - 2009/12/1

N2 - In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.

AB - In digital forensics, the creation time, last written time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, and the information changes the features, depending on the users actions such as copy, transfer, or network transport of files. Specific changes in the time information may be of considerable help in analyzing the users actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the FAT and NTFS file systems and attempts to reconstruct the users actions. Further, it demonstrates the use of time information for digital evidence analysis by presenting a case study.

KW - Digital investigation

KW - File system

KW - Time

KW - Windows

UR - http://www.scopus.com/inward/record.url?scp=73549099132&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=73549099132&partnerID=8YFLogxK

U2 - 10.1109/NCM.2009.258

DO - 10.1109/NCM.2009.258

M3 - Conference contribution

AN - SCOPUS:73549099132

SN - 9780769537696

SP - 1858

EP - 1864

BT - NCM 2009 - 5th International Joint Conference on INC, IMS, and IDC

ER -