Title :
Finding Evidence of Antedating in Digital Investigations
Author :
Willassen, Svein Yngvar
Author_Institution :
Dept. of Telematics, Norwegian Univ. of Sci. & Technol., Trondheim
Abstract :
Finding evidence of antedating is an important goal in many digital investigations. This paper explores how causality can expose antedating by investigating storage systems for causality and correlate causality with stored timestamps. Causality is determined in two different system types; storage systems using sequence numbers and storage systems using the first-fit allocation strategy. Causality found in these systems was used to implement a timestamp consistency checker for the NTFS file system. The implementation was then tested in an experiment, in which four subjects were asked to antedate a document on a given computer in such a way that the antedating could not be determined by an investigator. The results from this experiment show that the implemented consistency checker can be used to expose antedating. Investigators can use this method to find evidence of antedating to be presented to fact-finders in real cases.
Keywords :
computer crime; document handling; file organisation; antedating; causality; digital investigations; first-fit allocation strategy; storage systems; timestamps; Availability; Clocks; Digital systems; File systems; Law; Legal factors; Production; Security; Testing; Timing; antedating; evidence; forensics;
Conference_Titel :
Availability, Reliability and Security, 2008. ARES 08. Third International Conference on
Conference_Location :
Barcelona
Print_ISBN :
978-0-7695-3102-1
DOI :
10.1109/ARES.2008.149
