Strategies and Challenges of Timestamp Tampering for Improved Digital Forensic Event Reconstruction (extended version)
- URL: http://arxiv.org/abs/2501.00175v1
- Date: Mon, 30 Dec 2024 23:05:11 GMT
- Title: Strategies and Challenges of Timestamp Tampering for Improved Digital Forensic Event Reconstruction (extended version)
- Authors: CĂ©line Vanini, Jan Gruber, Christopher Hargreaves, Zinaida Benenson, Felix Freiling, Frank Breitinger,
- Abstract summary: We investigate the problem of users tampering with timestamps on a running (live'') system.<n>By performing a qualitative user study with advanced university students, we observe, for example, a commonly applied multi-step approach.<n>We derive factors that influence the reliability of successful tampering, such as the individual knowledge about temporal traces.
- Score: 3.9055399604553536
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: Timestamps play a pivotal role in digital forensic event reconstruction, but due to their non-essential nature, tampering or manipulation of timestamps is possible by users in multiple ways, even on running systems. This has a significant effect on the reliability of the results from applying a timeline analysis as part of an investigation. In this paper, we investigate the problem of users tampering with timestamps on a running (``live'') system. While prior work has shown that digital evidence tampering is hard, we focus on the question of \emph{why} this is so. By performing a qualitative user study with advanced university students, we observe, for example, a commonly applied multi-step approach in order to deal with second-order traces (traces of traces). We also derive factors that influence the reliability of successful tampering, such as the individual knowledge about temporal traces, and technical restrictions to change them. These insights help to assess the reliability of timestamps from individual artifacts that are relied on for event reconstruction and subsequently reduce the risk of incorrect event reconstruction during investigations.
Related papers
- Understanding the Limits of Deep Tabular Methods with Temporal Shift [28.738848567072004]
We introduce a plug-and-play temporal embedding method based on Fourier series expansion to learn and incorporate temporal patterns.
Our experiments demonstrate that this temporal embedding, combined with the improved training protocol, provides a more effective and robust framework for learning from temporal data.
arXiv Detail & Related papers (2025-02-27T16:48:53Z) - Evaluating tamper resistance of digital forensic artifacts during event reconstruction [0.0]
This article proposes a framework to assess the tamper resistance of data sources used in event reconstruction.<n>We discuss factors affecting data resilience, introduce a scoring system for evaluation, and illustrate its application with case studies.
arXiv Detail & Related papers (2024-12-17T11:32:02Z) - GenDFIR: Advancing Cyber Incident Timeline Analysis Through Retrieval Augmented Generation and Large Language Models [0.08192907805418582]
Cyber timeline analysis is crucial in Digital Forensics and Incident Response (DFIR)<n>Traditional methods rely on structured artefacts, such as logs and metadata, for evidence identification and feature extraction.<n>This paper introduces GenDFIR, a framework leveraging large language models (LLMs), specifically Llama 3.1 8B in zero shot mode, integrated with a Retrieval-Augmented Generation (RAG) agent.
arXiv Detail & Related papers (2024-09-04T09:46:33Z) - On the Identification of Temporally Causal Representation with Instantaneous Dependence [50.14432597910128]
Temporally causal representation learning aims to identify the latent causal process from time series observations.
Most methods require the assumption that the latent causal processes do not have instantaneous relations.
We propose an textbfIDentification framework for instantanetextbfOus textbfLatent dynamics.
arXiv Detail & Related papers (2024-05-24T08:08:05Z) - DOMINO: Visual Causal Reasoning with Time-Dependent Phenomena [59.291745595756346]
We propose a set of visual analytics methods that allow humans to participate in the discovery of causal relations associated with windows of time delay.
Specifically, we leverage a well-established method, logic-based causality, to enable analysts to test the significance of potential causes.
Since an effect can be a cause of other effects, we allow users to aggregate different temporal cause-effect relations found with our method into a visual flow diagram.
arXiv Detail & Related papers (2023-03-12T03:40:21Z) - GERE: Generative Evidence Retrieval for Fact Verification [57.78768817972026]
We propose GERE, the first system that retrieves evidences in a generative fashion.
The experimental results on the FEVER dataset show that GERE achieves significant improvements over the state-of-the-art baselines.
arXiv Detail & Related papers (2022-04-12T03:49:35Z) - Time Waits for No One! Analysis and Challenges of Temporal Misalignment [42.106972477571226]
We establish a suite of eight diverse tasks across different domains to quantify the effects of temporal misalignment.
We find stronger effects of temporal misalignment on task performance than have been previously reported.
Our findings motivate continued research to improve temporal robustness of NLP models.
arXiv Detail & Related papers (2021-11-14T18:29:19Z) - Content-Based Detection of Temporal Metadata Manipulation [91.34308819261905]
We propose an end-to-end approach to verify whether the purported time of capture of an image is consistent with its content and geographic location.
The central idea is the use of supervised consistency verification, in which we predict the probability that the image content, capture time, and geographical location are consistent.
Our approach improves upon previous work on a large benchmark dataset, increasing the classification accuracy from 59.03% to 81.07%.
arXiv Detail & Related papers (2021-03-08T13:16:19Z) - Automated Artefact Relevancy Determination from Artefact Metadata and
Associated Timeline Events [7.219077740523683]
Case-hindering, multi-year digital forensic evidence backlogs have become commonplace in law enforcement agencies throughout the world.
This is due to an ever-growing number of cases requiring digital forensic investigation coupled with the growing volume of data to be processed per case.
Leveraging previously processed digital forensic cases and their component artefact relevancy classifications can facilitate an opportunity for training automated artificial intelligence based evidence processing systems.
arXiv Detail & Related papers (2020-12-02T14:14:26Z) - Change Point Detection in Time Series Data using Autoencoders with a
Time-Invariant Representation [69.34035527763916]
Change point detection (CPD) aims to locate abrupt property changes in time series data.
Recent CPD methods demonstrated the potential of using deep learning techniques, but often lack the ability to identify more subtle changes in the autocorrelation statistics of the signal.
We employ an autoencoder-based methodology with a novel loss function, through which the used autoencoders learn a partially time-invariant representation that is tailored for CPD.
arXiv Detail & Related papers (2020-08-21T15:03:21Z) - Fast(er) Reconstruction of Shredded Text Documents via Self-Supervised
Deep Asymmetric Metric Learning [62.34197797857823]
A central problem in automatic reconstruction of shredded documents is the pairwise compatibility evaluation of the shreds.
This work proposes a scalable deep learning approach for measuring pairwise compatibility in which the number of inferences scales linearly.
Our method has accuracy comparable to the state-of-the-art with a speed-up of about 22 times for a test instance with 505 shreds.
arXiv Detail & Related papers (2020-03-23T03:22:06Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.