Title :
Forensic Application-Fingerprinting Based on File System Metadata
Author :
Kalber, Sven ; Dewald, Andreas ; Freiling, Felix C.
Author_Institution :
Dept. of Comput. Sci., Friedrich-Alexander-Univ., Erlangen, Germany
Abstract :
While much work has been invested in tools for aquisition and extraction of digital evidence, there are only few tools that allow for automatic event reconstruction. In this paper, we present a generic approach for forensic event reconstruction based on digital evidence from file systems. Our approach applies the idea of fingerprinting to changes made by applications in file system metadata. We present a system with which it is possible to automatically compute file system fingerprints of individual actions. Using NTFS timestamps as an example, we show that with our approach it is possible to automatically reconstruct actions performed by different applications even if the set of files accessed by those actions overlap.
Keywords :
digital forensics; meta data; NTFS timestamps; automatic action reconstruction; automatic event reconstruction; automatic file system fingerprint computation; digital evidence acquisition; digital evidence extraction; file system metadata; forensic application; forensic event reconstruction; Digital forensics; Electronic mail; File systems; Fingerprint recognition; Hard disks; Application Fingerprinting; Digital Forensics; Digital Investigation; Event Reconstruction;
Conference_Titel :
IT Security Incident Management and IT Forensics (IMF), 2013 Seventh International Conference on
Conference_Location :
Nuremberg
Print_ISBN :
978-1-4673-6307-5
DOI :
10.1109/IMF.2013.20
