Abstract
When computer systems are increasingly important for our daily activities, cybercrime has created challenges for the criminal justice system. Data can be hidden in ADS (Alternate Data Stream) without hindering performance. This feature has been exploited by malware authors, criminals, terrorists, and intelligence agents to erase, tamper, or conceal secrets. However, ADS problems are much ignored in digital forensics. Rare researches illustrated the contact artifacts of ADS timestamps. This paper performs a sequence of experiments from an inherited variety and provides an in-depth overview of timestamp transfer on data hiding operations. It utilizes files or folders as original media and uses the timestamp rules as an investigative approach for the forensic exchange analysis of file sets. This paper also explores timestamp rules using case examples, which allow practical applications of crime scene reconstruction to real-world contexts. The experiment results demonstrate the effectiveness of temporal attributes, help digital forensic practitioners to uncover hidden relations, and trace the contact artifacts among crime scenes, victims, and suspects/criminals.
Highlights
Timestamps in the reconstruction of cybercrimes have proven to be an expedient source of evidence for digital forensic practitioners [1]
This paper focuses on the forensic exchange analysis of the NTFS (New Technology File System) and examines the ADS cover media under different user behaviors
This paper introduces a set of techniques for evaluating the performance in ADS operations, develops an experimental procedure for detecting them, and plays a role in crime reconstruction
Summary
Timestamps in the reconstruction of cybercrimes have proven to be an expedient source of evidence for digital forensic practitioners [1]. The contact artifacts in servers or client computers can serve as the digital equivalent to DNA, hair, fibers, and trace evidence [1,17] These data may provide primary sources of information to reconstruct events between suspects and victims at a crime scene [18]. There is an increasing need for practitioners to find divisible temporal attributes and to link the timestamp transfer of connected devices at a crime scene. This exchange principle of forensic science can apply to digital material in analyzing data hiding timestamps.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
