Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.

Top