{"id":988,"date":"2020-02-19T14:01:48","date_gmt":"2020-02-19T19:01:48","guid":{"rendered":"https:\/\/fbreitinger.de\/?p=988"},"modified":"2020-04-14T03:05:14","modified_gmt":"2020-04-14T08:05:14","slug":"dfrws-eu-paper-accepted","status":"publish","type":"post","link":"https:\/\/fbreitinger.de\/?p=988","title":{"rendered":"DFRWS EU &#8211; Paper Accepted"},"content":{"rendered":"<p>Thank you to my co-author David Palmbach from the University of New Haven (CT, US)\u00a0for doing your masters project with me which resulted in the \u00a0the article: <strong>Artifacts for detecting timestamp manipulation in NTFS on Windows and their reliability<\/strong>. The paper will be presented at the <a href=\"https:\/\/dfrws.org\/conference\/dfrws-eu-2020\/\" target=\"_blank\" rel=\"noopener noreferrer\">Digital Forensics Research Conference (DFRWS EU) in Oxford in March 2020<\/a>.<\/p>\n<h2 class=\"tp_abstract\">Abstract<\/h2><p class=\"tp_abstract\">Timestamps have proven to be an expedient source of evidence for examiners in the reconstruction of computer crimes. Consequently, active adversaries and malware have implemented timestomping techniques (i.e., mechanisms to alter timestamps) to hide their traces. Previous research on detecting timestamp manipulation primarily focused on two artifacts: the $MFT as well as the records in the $LogFile. In this paper, we present a new use of four existing windows artifacts \u2013 the $USNjrnl, link files, prefetch files, and Windows event logs \u2013 that can provide valuable information during investigations and diversify the artifacts available to examiners. These artifacts contain either information about executed programs or additional timestamps which, when inconsistencies occur, can be used to prove timestamp forgery. Furthermore, we examine the reliability of artifacts being used to detect timestamp manipulation, i.e., testing their ability to retain information against users actively trying to alter or delete them. Based on our findings we conclude that none of the artifacts analyzed can withstand active exploitation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thank you to my co-author David Palmbach from the University of New Haven (CT, US)\u00a0for doing your masters project with me which resulted in the \u00a0the article: Artifacts for detecting timestamp manipulation in NTFS on Windows and their reliability. The paper will be presented at the Digital Forensics Research Conference (DFRWS EU) in Oxford in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-988","post","type-post","status-publish","format-standard","hentry","category-publication"],"_links":{"self":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=988"}],"version-history":[{"count":10,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts\/988\/revisions"}],"predecessor-version":[{"id":1001,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts\/988\/revisions\/1001"}],"wp:attachment":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}