CSDL Home A ARES 2008 2012 Seventh International Conference on Availability, Reliability and Security
Mar. 4, 2008 to Mar. 7, 2008
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ARES.2008.149
Finding evidence of antedating is an important goal in many digital investigations. This paper explores how causality can expose antedating by investigating storage systems for causality and correlate causality with stored timestamps. Causality is determined in two different system types; storage systems using sequence numbers and storage systems using the first-fit allocation strategy. Causality found in these systems was used to implement a timestamp consistency checker for the NTFS file system. The implementation was then tested in an experiment, in which four subjects were asked to antedate a document on a given computer in such a way that the antedating could not be determined by an investigator. The results from this experiment show that the implemented consistency checker can be used to expose antedating. Investigators can use this method to find evidence of antedating to be presented to fact-finders in real cases.
antedating, evidence, forensics
Svein Yngvar Willassen, "Finding Evidence of Antedating in Digital Investigations", ARES, 2008, 2012 Seventh International Conference on Availability, Reliability and Security, 2012 Seventh International Conference on Availability, Reliability and Security 2008, pp. 26-32, doi:10.1109/ARES.2008.149