CN102194071B - Time-domain-based data evidence acquisition and cross analysis method - Google Patents
Time-domain-based data evidence acquisition and cross analysis method Download PDFInfo
- Publication number
- CN102194071B CN102194071B CN2011101314214A CN201110131421A CN102194071B CN 102194071 B CN102194071 B CN 102194071B CN 2011101314214 A CN2011101314214 A CN 2011101314214A CN 201110131421 A CN201110131421 A CN 201110131421A CN 102194071 B CN102194071 B CN 102194071B
- Authority
- CN
- China
- Prior art keywords
- file
- index
- time
- entry
- timestamp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a time-domain-based data evidence acquisition and cross analysis method for a new technology file system (NTFS) in the field of information security. The method comprises two parts, namely extraction of a file time stamp and analysis of the file time stamp. When the file time stamp is extracted, logic subarea parameters are acquired by solving a target file path, metadata of target files are found by reading index files, and the time stamp is resolved; and when the file time stamp is analyzed, all the target files undergo credibility check, and specific analysis is performed according to different file types. The time stamp is acquired by reading the metadata of the files, and cross analysis is performed on the time stamp, so that reliable conclusion is acquired.
Description
Background technology
What the present invention relates to is a kind of computer data evidence collecting method of information security field, and specifically under a kind of new technology file system, the data based on time domain are collected evidence and the alternate analysis method.
Technical field
The computer crime frequent activity occurs, and the importance of data evidence obtaining is highlighted day by day.Data evidence obtainings is exactly that data survey and analytical technology are applied to determining and obtaining potential, valid evidence; namely utilize computer hardware technique, the process of the computer data evidence of storing in magnetic medium coded message mode being protected, confirm, extracts, files, being analyzed and reports according to certain program.In various evidence obtaining investigation, the time domain evidence plays vital effect.Yet time information renovation is frequent, and many anti-forensic technologies can distort it, makes the confidence level of time evidence greatly reduce, and the data evidence obtaining work based on simple time series analysis of giving has brought huge challenge.
Find through the literature search to prior art: also do not occur the data evidence collecting method based on time domain at present.China application (patent) number be the technology of CN200510011634.8, has proposed a kind of evidence-taking and analysis system that extracts with the analysis digital evidence, comprises evidence protective seam, evidence analysis layer and evidence presentation layer.Yet the time domain evidence is not collected by this system, and it can not guarantee that the evidence that extracts is not maliciously tampered; China application (patent) number is the technology of CN200610140801.3, has proposed a kind of electronic data evidence obtaining method for computing machine.The method is mentioned file system and be can be used as a kind of data source, but it is not made a concrete analysis of.
Summary of the invention
The present invention is directed to the deficiencies in the prior art and defective, data evidence obtaining and alternate analysis method based on time domain are provided under a kind of new technology file system, make the evidence obtaining personnel when checking the new technology file system of invaded or attack, by extraction and the analysis to timestamp in file metadata, can infer reliably the operation that invader in the crime time does computing machine, also anti-forensic technologies proposed countermeasure simultaneously.
The present invention is achieved by the following technical solutions, and data evidence obtaining and alternate analysis method based on time domain under new technology file system provided by the invention comprise extraction document timestamp and Study document timestamp two parts.The extraction document timestamp is: under new technology file system, to its metadata item, then extract the document time stamp in $ STANDARD_INFORMATION and $ FILE_NAME attribute according to the path finding of suspicious object file or catalogue.The Study document timestamp is: the timestamp that extracts in the first step is carried out credibility Analysis and operation judges, thereby draw corresponding evidence obtaining conclusion.
Described extraction document timestamp, performing step is as follows:
The first step, the path that obtains suspicious object file or catalogue checks the legitimacy in this path, and it is decomposed into logical partition identifier, directory name at different levels, filename and extension name.
Second step, according to the decomposition result of previous step file path, the boot sector of Study document place logical partition obtains the correlation parameter of this logical partition according to definition.
In the 3rd step, according to the logical partition parameter that previous step obtains, read the metadata of new technology file system.
In the 4th step, the system metadata according to previous step obtains finds the oral thermometer that enters of index file, and travels through this index file, finds the relative index record entry INDEX_ENTRY of file destination.
In the 5th step, the $ INDEX_ENTRY according to previous step obtains finds the metadata item of file destination and parses document time stamp.
In the 6th step, return to execution result.
Described second step is specially:
1) according to the decomposition result in first step File path, open corresponding logical partition.
2) read step 1) in the data of No. 0 bunch in the logical partition opened, i.e. boot sector has wherein recorded the important parameter of this logical partition.
In described the 3rd step, be specially:
1) according to the logical partition parameter of obtaining in second step, the disk physical deflection address of the MFT Master File Table (hereinafter to be referred as MFT) of All Files metadata is deposited in acquisition.
2) from step 1) the address that obtains, according to definition, obtain the entrance of file system root index file.
In described the 4th step, be specially:
1) the root index entry that obtains according to the 3rd step obtains the disk physical location at all index place.
2) according to the pathname of resolving in the first step, from the root index entry, search by the name of every one-level catalogue, finally obtain the parent directory index entry of file destination.Concrete steps comprise:
1. according to the index file definition, find $ INDEX_ROOT attribute by the index entry.
2. according to the parameter in the attribute head of $ INDEX_ROOT attribute, obtain start address and the size of index entry $ INDEX_ENTRY in this attribute.
3. begin to read one by one $ INDEX_ENTRY record by index entry start address obtained in the previous step.If the $ INDEX_ENTRY that reads is the index entry of file destination, finished for the 4th step.Otherwise continue to search next $ INDEX_ENTRY to the last till $ INDEX_ENTRY.If the filename that refers in the INDEX_ENTRY that has read relatively less than the file destination name, stops this step by scale-of-two.
4. record last $ INDEX_ENTRY content that step reads in 3., the information of first $ INDEX_ENTRY in the $ INDEX_ALLOCATION that obtains wherein recording.
5. according to the parameter in the attribute head of $ INDEX_ROOT attribute, read $ INDEX_ALLOCATION attribute data record.Virtual cluster numbering VCN corresponding to start address of the $ INDEX_ENTRY of $ INDEX_ALLOCATION attribute head record is mapped to logical cluster address LCN.Get back to step 3..
In described the 5th step, be specially:
1) parse No. MFT of file destination by the $ INDEX_ENTRY that obtains in the 4th step.
2) the MFT item the parameter that is obtained by the MFT start address that obtains and second step in the 3rd step, finding step 1).
3) analyzing step 2) $ STANDARD_INFORMATION (hereinafter to be referred as $ SI) and $ FILE_NAME (hereinafter to be referred as $ FN) attribute in the MFT item that obtains, extract the MACE time according to the attribute head respectively: creation-time Creation time (hereinafter to be referred as C), last modification time Modification time (hereinafter to be referred as M), MFT modification time Entry modification time (hereinafter to be referred as E), last access time Access time (hereinafter to be referred as A).Extract so altogether two groups of MACE times, for purpose of brevity, below will use " attribute-name. timestamp " represent corresponding timestamp, as " SI.C ".
Described Study document timestamp, performing step is as follows:
The first step,---common operation impact rule and table 2 on document time stamp in NTFS---common operation impact rule on the catalogue timestamp in NTFS, carry out credibility inspection to the file destination timestamp according to table 1.
Second step according to table 1 and table 2, carries out the concrete operations analysis to the timestamp by the credibility inspection.
The described first step is specially:
The judgement target file type:
1) if file should have SI.M<=SI.E under normal circumstances, SI.C<=FN.C, SI.C<=SIA if do not satisfy arbitrary condition, considers the possibility that has anti-evidence obtaining instrument to exist.A kind of special case situation is but arranged, when namely occuring to replace in volume, may cause $ SI.C>$ FN.C or $ SI.C>$ SIA, this moment, $ SI.E namely replaced the time.If find out the file destination that is replaced, need the MFT item of all deleted files is scanned, the file that is replaced should with current file of the same name of the same type, $ SI.C equates and erasing time meets logic.If do not find out such file, the timestamp of current file is insincere;
2) if file destination is catalogue: should satisfy SI.M<=SI.E under normal circumstances, SI.C=FN.C, SI.C<=SIA, if do not satisfy arbitrary condition, the timestamp of this catalogue is insincere.
Table 1
* show that this rule is only applicable to the system that last access time automatically updating function is opened, otherwise this timestamp remains unchanged.
Table 2
* show that this rule is only applicable to the system that last access time automatically updating function is opened, otherwise this timestamp remains unchanged.
Described second step is specially:
1) for all types file: if SI.C<FN.C, this document carried out across not carrying out move operation in rename and volume after rolling up move operation and moving to new volume, and FN.C is namely the last across the mobile time of volume.Must have $ SI.E=$ FN.M=$ FN.A=$ FN.C=$ FN.E this moment, if do not wait, can judge that the timestamp of this document is by malicious modification; If $ is SI.C>$ SI.M, and this document content and summary attribute were not modified in current volume; If $ SI.C=$ is SI.M, this document was not modified from creating beginning; If $ is SI.C<$ SI.M, and $ SI.M is the last file content or the summary attribute modification time of file in this volume.
2) judgement target file type:
If 1. file destination is file except Office .exe, if $ SI.C>$ SI.M and $ SI.C>$ SI.E, this document is that portion from outer volume copies.$ SI.M and $ SI.E have inherited respectively $ SI.M and the $ SI.E of source file.If $ SI.A=$ SI.C=$ FN.M=$ FN.A=$ FN.C=$ FN.E, show that this document did not carry out twice in current volume or above rename or volume in move operation.If do not satisfy FN.M=FN.A=FN.C=FN.E, FN.MACE is the interior move operation of the last rename or the volume copy of SI.MACE before;
If 2. file destination is the Office file, if $ FN.M=$ FN.A=$ FN.E>$ SI.C, $ FN.M is the nearest modification time of this document file content in current volume.If while $ SI.E=$ is FN.M, this document does not carry out move operation in rename or volume after the revised file content; If $ SI.E>$ SI.M, $ SI.E be the last rename in volume mobile revise General Properties time.If $ SI.M unequal to $ is FN.M, this timestamp may be by malicious modification.If $ SI.M=$ is SI.E>$ SI.A>=$ SI.C, and $ SI.M is the time of the last revised file summary attribute.
If 3. file destination is the .exe file, its last accessed time of the SI.E time representation of the type file, thus must be newly in the SI.MAC time, if do not satisfy this condition, this timestamp is insincere.
If 4. file destination is catalogue, if $ SI.M=$ SI.A=$ SI.E>$ SI.C, $ SI.E represents the time that in the last target directory, index structure changes, and as increase, deletion or Rename file/sub-directory, is perhaps replaced by catalogue of the same name.Travel through $ SI.E or the $ FN.E of All Files/sub-directory in this catalogue, if having the $ SI.E of file/sub-directory or $ FN.E to equate with the $ SI.E of this catalogue, this document/sub-directory is the file/sub-directory of increase recently or rename; If do not find such file/sub-directory, considering has file/sub-directory deleted in this catalogue.
The present invention is for the characteristics of data evidence obtaining:
1) existing most time domain data forensic technologies, great majority are all to come the acquisition time stamp by the API that calls the time of reading that Windows provides, yet the method can only obtain $ SI.MAC.The present invention comes the acquisition time stamp by file reading MFT binary data, and is more more complete and accurate than the result that the API that calls the time of reading obtains;
2) existing most time domain data forensic technologies, great majority are all that $ SI.MACE is analyzed.The present invention has carried out alternate analysis to $ SI.MACE and $ FN.MACE, and the result that obtains is more reliable;
3) the MACE time that can revise $ SI in view of a lot of anti-evidence obtaining instruments of present existence, the present invention has carried out credibility Analysis to the timestamp that extracts, and can detect to a certain extent the timestamp of maliciously being distorted by the anti-instrument of collecting evidence;
4) the present invention is directed to different file types and done corresponding analysis, make its specific aim and applicability stronger.
Description of drawings
Fig. 1 is extraction document timestamp process flow diagram in the present invention;
Fig. 2 is Study document timestamp process flow diagram in the present invention.
Embodiment
This example is implemented under take technical solution of the present invention as prerequisite, provided detailed embodiment and concrete operating process, but protection scope of the present invention is not limited to this example.
Embodiment
To suspicious catalogue D: test and file D: test a.txt carry out forensics analysis.1. at first extract apocrypha D: test the timestamp of a.txt.Step is as follows:
1) acquisition approach D: test a.txt, check whether this path legal: check whether it has unallowable instruction digit and catalogue at different levels and file whether to exist.This path is legal on inspection, and it is decomposed into logical partition identifier " D ", directory name " test ", filename " a " and extension name " .txt ".
2) according to the 1st) go on foot the logical partition identifier " D " that obtains, read the data that No. 0 bunch of this subregion is boot sector.11st, 12 bytes show that the size of each sector in this subregion is 512 bytes; The 13rd byte shows that each bunch comprises i.e. 1024 bytes in 2 sectors; The the 48th to 55 byte shows that the MFT starting cluster of this subregion number is 342709 (0x00053ab5); The 64th byte shows that each MFT item size is 1 bunch.
3) according to the 2nd) go on foot the MFT start address that obtains, find MFT, be 5 bunches of MFT items of locating to obtain the root index file in skew.
4) analyze the 3rd) go on foot the root index file MFT item that obtains, carry out according to the following steps:
1. according to the index file definition, find $ INDEX_ROOT attribute by the index entry.
2. according to the parameter in the attribute head of $ INDEX_ROOT attribute, obtain start address and the size of index entry $ INDEX_ENTRY in this attribute.
3. begin to read one by one $ INDEX_ENTRY record by index entry start address obtained in the previous step.If the $ INDEX_ENTRY that reads is the index entry of file destination, finished for the 4th step.Otherwise continue to search next $ INDEX_ENTRY to the last till $ INDEX_ENTRY.If the filename that refers in the INDEX_ENTRY that has read relatively less than the file destination name, stops this step by scale-of-two.
4. record last $ INDEX_ENTRY content that step reads in 3., the information of first $ INDEX_ENTRY in the $ INDEX_ALLOCATION that obtains wherein recording.
5. according to the parameter in the attribute head of $ INDEX_ROOT attribute, read $ INDEX_ALLOCATION attribute data record.Virtual cluster numbering VCN corresponding to start address of the $ INDEX_ENTRY of $ INDEX_ALLOCATION attribute head record is mapped to logical cluster address LCN.Get back to step 3..
5) by the 4th) in the step $ INDEX_ENTRY that obtains to parse No. MFT of file destination be 1342.By the 3rd) the MFT start address that obtains in the step, search the MFT item No. 1342.Resolve $ STANDARD_INFORMATION and $ FILE_NAME attribute in this MFT item, extract the MACE time according to the attribute head respectively: creation-time Creation time, last modification time Modification time, MFT modification time Entry modification time, last access time Access time.
6) by the 1st)-5) method in step, read D: the timestamp of test.
At this moment, extracted suspicious catalogue D: test and file D: test $ SI.MACE and the $ FN.MACE timestamp of a.txt.As shown in table 3.
Table 3
2. analyze respectively suspicious catalogue D: test and file D: test the timestamp of a.txt.Step is as follows:
1) to catalogue D: the test timestamp carry out credibility Analysis, $ SI.M=$ SI.E is arranged, $ SI.C=$ FN.C, $ SI.C<$ SIA; To file D: test the a.txt timestamp carry out credibility Analysis, $ SI.M=$ SI.E is arranged, $ SI.C<=$ FN.C, $ SI.C=$ SIA.All pass through credibility Analysis.
2) analytical bibliography D: the timestamp of test, find $ SI.M=$ SI.A=$ SI.E>$ SI.C, $ SI.E represents the time that in the last target directory, index structure changes, and as increase, deletion or Rename file/sub-directory, is perhaps replaced by catalogue of the same name.Check this moment D: test the $ SI.E of a.txt, find that its $ SI.E is not equal to this time, but its $ FN.MACE is equal to this time.Only draw according to table 1 and just can cause this situation at file when moving or copying across volume.Because current anti-forensic technologies can directly be revised $ SI.MACE, deducibility this moment goes out conclusion, the invader moves d.txt or copy in D: test catalogue when 05:20, has revised afterwards four timestamps of SI, makes it look like the file that May 20 created.
Claims (5)
1. the data based on time domain are collected evidence and the alternate analysis method, it is characterized in that: comprise extraction document timestamp and Study document timestamp two parts, wherein:
Described extraction document timestamp, performing step is as follows:
The first step, the path that obtains suspicious object file or catalogue checks the legitimacy in this path, and it is decomposed into logical partition identifier, directory name at different levels, filename and extension name;
Second step, according to the decomposition result of previous step file path, the boot sector of Study document place logical partition obtains the correlation parameter of this logical partition according to definition;
In the 3rd step, according to the logical partition parameter that previous step obtains, read the metadata of new technology file system;
In the 4th step, the system metadata according to previous step obtains finds the oral thermometer that enters of index file, and travels through this index file, finds the relative index record entry INDEX_ENTRY of file destination;
In the 5th step, the $ INDEX_ENTRY according to previous step obtains finds the metadata item of file destination and parses document time stamp;
In the 6th step, return to execution result;
Described Study document timestamp, performing step is as follows:
The first step on the impact rule of common operation in the impact of document time stamp rule and NTFS on the catalogue timestamp, is carried out credibility check to the file destination timestamp according to common operation in NTFS, and described credibility inspection comprises the steps:
11) if file, $ SI.M<=$ SI.E is arranged, $ SI.C<=$ FN.C, $ SI.C<=$ SI.A, if do not satisfy arbitrary condition, when occuring to replace in volume, can cause $ SI.C〉$ FN.C or $ SI.C〉$ SI.A, this moment, $ SI.E namely replaced the time, if find out the file destination that is replaced, to the MFT item of all deleted files be scanned, the file that is replaced should be of the same name of the same type with current file, $ SI.C equates and erasing time meets logic, if do not find out such file, the timestamp of current file is insincere,
12) if file destination is catalogue: should satisfy SI.M<=SI.E, SI.C=FN.C, SI.C<=SI.A, if do not satisfy arbitrary condition, the timestamp of this catalogue is insincere;
Second step, regular on the impact of catalogue timestamp on common operation in the impact of document time stamp rule and NTFS according to common operation in NTFS, the timestamp by the credibility inspection is carried out the concrete operations analysis, described concrete operations analysis comprises the steps:
21) for all types file: if $ is SI.C<$ FN.C, this document carried out across not carrying out move operation in rename and volume after rolling up move operation and moving to new volume, $ FN.C is namely the last across the mobile time of volume, must have $ SI.E=$ FN.M=$ FN.A=$ FN.C=$ FN.E this moment, if can judge that not etc., the timestamp of this document is by malicious modification; If $ is SI.C〉$ SI.M, this document content and summary attribute were not modified in current volume; If $ SI.C=$ is SI.M, this document was not modified from creating beginning; If $ is SI.C<$ SI.M, and $ SI.M is the last file content or the summary attribute modification time of file in this volume;
22) judgement target file type:
221〉if file destination is for removing Office, .exe the file beyond, if $ SI.C〉$ SI.M and $ SI.C〉$ SI.E, this document is the portion copy from outer volume, $ SI.M and $ SI.E have inherited respectively $ SI.M and the $ SI.E of source file, if $ SI.A=$ SI.C=$ FN.M=$ FN.A=$ FN.C=$ is FN.E, show that this document did not carry out twice in current volume or above rename or volume in move operation, if do not satisfy FN.M=FN.A=FN.C=FN.E, $ FN.MACE is the interior move operation of the last rename or the volume copy of $ SI.MACE before,
222〉if file destination is the Office file, if $ FN.M=$ FN.A=$ FN.E〉$ SI.C, $ FN.M is the nearest modification time of this document file content in current volume, if while $ SI.E=$ is FN.M, this document does not carry out move operation in rename or volume after the revised file content; If $ is SI.E〉$ SI.M, $ SI.E be the last rename in volume mobile revise General Properties time, if $ SI.M unequal to $ is FN.M, this timestamp may be by malicious modification, if $ SI.M=$ is SI.E〉$ SI.A 〉=$ SI.C, $ SI.M is the time of the last revised file summary attribute;
223〉if file destination is the .exe file, its last accessed time of the SI.E time representation of the type file, thus must be newly in the SI.MAC time, if do not satisfy this condition, this timestamp is insincere;
224〉if file destination is catalogue, if $ SI.M=$ SI.A=$ SI.E〉$ SI.C, $ SI.E represents the time that in the last target directory, index structure changes, increase, deletion or Rename file/sub-directory, perhaps replaced by catalogue of the same name, travel through $ SI.E or the $ FN.E of All Files/sub-directory in this catalogue, if have the $ SI.E of file/sub-directory or $ FN.E to equate with the $ SI.E of this catalogue, this document/sub-directory is the file/sub-directory of increase recently or rename; If do not find such file/sub-directory, there is file/sub-directory deleted in this catalogue.
2. data evidence obtaining and alternate analysis method based on time domain according to claim 1, is characterized in that, the second step of described extraction document timestamp, and performing step is as follows:
1) according to the decomposition result in first step File path, open corresponding logical partition;
2) read step 1) in the data of No. 0 bunch in the logical partition opened, i.e. boot sector has wherein recorded the important parameter of this logical partition.
3. data evidence obtaining and alternate analysis method based on time domain according to claim 1, is characterized in that, in the 3rd step of described extraction document timestamp, performing step is as follows:
1) according to the logical partition parameter of obtaining in second step, the disk physical deflection address of the MFT Master File Table of All Files metadata is deposited in acquisition;
2) from the address that step 1) obtains, according to definition, obtain the entrance of file system root index file.
4. data evidence obtaining and alternate analysis method based on time domain according to claim 1, is characterized in that, in the 4th step of described extraction document timestamp, performing step is as follows:
1) the root index entry that obtains according to the 3rd step obtains the disk physical location at all index place;
2) according to the pathname of resolving in the first step, from the root index entry, search by the name of every one-level catalogue, finally obtain the parent directory index entry of file destination; Concrete steps comprise:
1. according to the index file definition, find $ INDEX_ROOT attribute by the index entry;
2. according to the parameter in the attribute head of $ INDEX_ROOT attribute, obtain start address and the size of index entry $ INDEX_ENTRY in this attribute;
3. begin to read one by one $ INDEX_ENTRY record by index entry start address obtained in the previous step, if the $ INDEX_ENTRY that reads is the index entry of file destination, finished for the 4th step; Otherwise continue to search next $ INDEX_ENTRY to the last till $ INDEX_ENTRY; If the filename that refers in the INDEX_ENTRY that has read relatively less than the file destination name, stops this step by scale-of-two;
4. record last $ INDEX_ENTRY content that step reads in 3., the information of first $ INDEX_ENTRY in the $ INDEX_ALLOCATION that obtains wherein recording;
5. according to the parameter in the attribute head of $ INDEX_ROOT attribute, read $ INDEX_ALLOCATION attribute data record, virtual cluster numbering VCN corresponding to start address of the $ INDEX_ENTRY of $ INDEX_ALLOCATION attribute head record is mapped to logical cluster address LCN, gets back to step 3..
5. data evidence obtaining and alternate analysis method based on time domain according to claim 1, is characterized in that, in the 5th step of described extraction document timestamp, performing step is as follows:
1) parse No. MFT of file destination by the $ INDEX_ENTRY that obtains in the 4th step;
2) the MFT item the parameter that is obtained by the MFT start address that obtains and second step in the 3rd step, finding step 1);
3) analyzing step 2) $ STANDARD_INFORMATION and $ FILE_NAME attribute in the MFT item that obtains, extract the MACE time according to the attribute head respectively: creation-time Creation time, last modification time Modification time, MFT modification time Entry modification time, last access time Access time extract so altogether two groups of MACE times.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101314214A CN102194071B (en) | 2011-05-20 | 2011-05-20 | Time-domain-based data evidence acquisition and cross analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101314214A CN102194071B (en) | 2011-05-20 | 2011-05-20 | Time-domain-based data evidence acquisition and cross analysis method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102194071A CN102194071A (en) | 2011-09-21 |
| CN102194071B true CN102194071B (en) | 2013-06-05 |
Family
ID=44602131
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101314214A Expired - Fee Related CN102194071B (en) | 2011-05-20 | 2011-05-20 | Time-domain-based data evidence acquisition and cross analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102194071B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488390B (en) * | 2014-12-13 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | A kind of apocrypha under Linux finds method and system |
| CN109344579A (en) * | 2018-11-01 | 2019-02-15 | 厦门市美亚柏科信息股份有限公司 | A kind of determination method and device of time confidence level |
| CN112733187B (en) * | 2021-01-11 | 2022-10-11 | 重庆邮电大学 | Digital evidence obtaining, analyzing and identifying method based on time attribute |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101000646A (en) * | 2007-01-17 | 2007-07-18 | 北京大学 | Copyright protection method and system for digital contents controlled by time |
| CN101464900A (en) * | 2009-01-15 | 2009-06-24 | 上海交通大学 | Light file hiding method in NTFS file system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100225811A1 (en) * | 2009-03-05 | 2010-09-09 | Nokia Corporation | Synchronization of Content from Multiple Content Sources |
-
2011
- 2011-05-20 CN CN2011101314214A patent/CN102194071B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101000646A (en) * | 2007-01-17 | 2007-07-18 | 北京大学 | Copyright protection method and system for digital contents controlled by time |
| CN101464900A (en) * | 2009-01-15 | 2009-06-24 | 上海交通大学 | Light file hiding method in NTFS file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102194071A (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101464900B (en) | Light file hiding method in NTFS file system | |
| Hargreaves et al. | An automated timeline reconstruction approach for digital forensic investigations | |
| Dolan-Gavitt | Forensic analysis of the Windows registry in memory | |
| US10628263B1 (en) | Logfile-related technologies and techniques | |
| Ding et al. | Time based data forensic and cross-reference analysis | |
| Chivers | Private browsing: A window of forensic opportunity | |
| Alazab et al. | Effective digital forensic analysis of the NTFS disk image | |
| Singh et al. | A forensic insight into windows 10 jump lists | |
| Palmbach et al. | Artifacts for detecting timestamp manipulation in NTFS on windows and their reliability | |
| CN112560031B (en) | Lesovirus detection method and system | |
| Nordvik et al. | Reverse engineering of ReFS | |
| CN102194071B (en) | Time-domain-based data evidence acquisition and cross analysis method | |
| Casey | Digital stratigraphy: contextual analysis of file system traces in forensic science | |
| Porter et al. | Timestamp prefix carving for filesystem metadata extraction | |
| Lees | Determining removal of forensic artefacts using the USN change journal | |
| AlHarbi et al. | Forensic analysis of anti‐forensic file‐wiping tools on Windows | |
| Zoubek et al. | Selective deletion of non-relevant data | |
| CN111176901B (en) | HDFS deleted file recovery method, terminal device and storage medium | |
| Jones et al. | A method and implementation for the empirical study of deleted file persistence in digital devices and media | |
| Morgan | Recovering deleted data from the Windows registry | |
| Al-Saleh et al. | Forensic artefacts associated with intentionally deleted user accounts | |
| Atwal et al. | Shining a light on Spotlight: Leveraging Apple's desktop search utility to recover deleted file metadata on macOS | |
| Didriksen | Forensic analysis of OOXML documents | |
| Alazab et al. | Digital forensic techniques for static analysis of NTFS images | |
| Joo et al. | A reference database of Windows artifacts for file‐wiping tool execution analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130605 Termination date: 20140520 |