A computer forensic method for detecting timestamp forgery in NTFS

In this paper, we present a computer forensic method for detecting timestamp forgeries in the Windows NTFS file system. It is difficult to know precisely that the timestamps have been changed by only examining the timestamps of the file itself. If we can find the past timestamps before any changes to the file are made, this can act as evidence of file time forgery. The log records operate on files and leave large amounts of information in the $LogFile that can be used to reconstruct operations on the files and also used as forensic evidence. Log record with 0x07/0x07 opcode in the data part of Redo/Undo attribute has timestamps which contain past-and-present timestamps. The past-and-present timestamps can be decisive evidence to indicate timestamp forgery, as they contain when and how the timestamps were changed. We used file time change tools that can easily be found on Internet sites. The patterns of the timestamp change created by the tools are different compared to those of normal file operations. Seven file operations have ten timestamp change patterns in total by features of timestamp changes in the $STANDARD_INFORMATION attribute and the $FILE_NAME attribute. We made rule sets for detecting timestamp forgery based on using difference comparison between changes in timestamp patterns by the file time change tool and normal file operations. We apply the forensic rule sets for “.txt”, “.docx” and “.pdf” file types, and we show the effectiveness and validity of the proposed method. The importance of this research lies in the fact that we can find the past time in $LogFile, which gives decisive evidence of timestamp forgery. This makes the timestamp active evidence as opposed to simply being passive evidence.