R Koen and MS Olivier, "The Use of File Timestamps in Digital Forensics," in HS Venter, MM Eloff, JHP Eloff and L Labuschagne (eds), Proceedings of the ISSA 2008 Innovative Minds Conference, Johannesburg, South Africa, July 2008 (Published electronically)
Digital evidence is not well perceived by the human senses. Crucial pieces of digital evidence may simply be missed by investigators as the forensic significance of seemingly unimportant pieces of collected data may not be fully understood. This paper will discuss how abstract pieces of information may be extracted from seemingly insignificant evidence sources such as file timestamps by making use of correlating evidence sources. The use of file timestamps as a substitute for missing or corrupt log files as well as the information deficiency problem surrounding the use of timestamps will be discussed in detail. A prototype was developed to help investigators to determine the course of events as they occurred according to file timestamps. The prototype results that were obtained as well as prototype flaws will also be addressed.
Digital Forensics, Event Reconstruction, Reco Platform, Timestamps
@INPROCEEDINGS(timestamps,
AUTHOR={Renico Koen and Martin S Olivier},
TITLE={The Use of File Timestamps in Digital Forensics},
BOOKTITLE={Proceedings of the ISSA 2008 Innovative Minds Conference},
EDITOR={Hein S Venter and Mariki M Eloff and Jan H P Eloff and Les Labuschagne},
ADDRESS={Johannesburg, South Africa},
MONTH={July},
YEAR={2008},
NOTE={(Published electronically)} )
The full text may be downloaded from http://mo.co.za/open/timestamps.pdf (PDF, 126K).
[Publications]
[Home]
Page maintained by
Martin Olivier
Last update: 22 October 2008