Abstract
Timestamps play a substantial role during digital forensic investigations and address two main objectives. First, they serve as a primary culling criterion to reduce the amount of digital evidence subject to analysis. Second, timestamps are the sole feature that allows reliable reconstruction of time-lines and they assist in locating temporal anomalies. File fragments, typically from previously deleted or relocated content, are often useful, especially when intact files are unavailable. Such fragments rarely contain embedded timestamps or have file-system timestamp information, which renders them less useful. In this work, we investigate and propose a framework for determining a time-window for deleted file fragments that are typically found in un-allocated space and file slack. We hypothesize that using the known temporal state of neighboring clusters allows us to derive a date-and-time range for when the file fragment was first written to media until it was subsequently deleted.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.