Skip to main content
SpringerLink
Log in

Identifying Temporal Patterns Using ADS in NTFS for Digital Forensics

  • Conference paper
  • First Online:
Security with Intelligent Computing and Big-data Services (SICBS 2017)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 733))

  • 1090 Accesses

Abstract

The storage and handling of alternate data stream (ADS) in NTFS have posted significant challenges for law enforcement agencies (LEAs). ADS can hide data as any formats in additional $DATA attributes of digital file. The process of data content will update some metadata attributes of date-time stamp in files. This paper introduces ADS and reviews the literature pertaining to the forensic analysis of its data hiding. It describes some temporal patterns for evaluating if ADS are hidden in digital files or not. The analysis of file metadata assists in accurately correlating activities from date-time stamp evidence. The results demonstrate the effectiveness of temporal patterns for digital forensics across various types of file operations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Arnes, A.: Digital Forensics, pp. 147–190. Wiley, Hoboken (2017)

    Google Scholar 

  2. Carrier, B.: File System Forensic Analysis, pp. 273–396. Pearson Education Inc., London (2005)

    Google Scholar 

  3. Casey, E.: Handbook of Digital Forensics and Investigation, pp. 209–300. Elsevier Inc., Amsterdam (2010)

    Google Scholar 

  4. Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, 3rd edn., pp. 187–306. Elsevier Inc., Amsterdam (2011)

    Google Scholar 

  5. Chow, K.P., Law, F.Y.W., Kwan, M.Y.K., Lai, K.Y.: The rules of time on NTFS file system. In: 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), Bell Harbor, WA, USA, 10–12 April 2007

    Google Scholar 

  6. Ding, X., Zou, H.: Reliable Time Based Forensics in NTFS, pp. 1–2. School of Software, Shanghai Jiao Tong University (2010)

    Google Scholar 

  7. Kao, D.Y.: Cybercrime investigation countermeasure using created-accessed-modified model in cloud computing environments. J. Supercomput. Spec. Issue Emerg. Platf. Technol. 1–20 (2015)

    Google Scholar 

  8. Krahl, K.M.: Using Microsoft Word to Hide Data. Thesis, pp. 1–13. Utica College, ProQuest Dissertations Publishing (2017)

    Google Scholar 

  9. Mahajan, R.: Design and Development of Improved Stealth Alternate Data Streams. Thesis, pp. 6–42. Thapar University, Patiala, India (2014)

    Google Scholar 

Download references

Acknowledgment

This research was partially supported by the Executive Yuan of the Republic of China under the Grants Forward-looking Infrastructure Development Program (Digital Infrastructure-Information Security Project-107) and the Ministry of Science and Technology of the Republic of China under the Grants MOST 106-2221-E-015-002-.

Author information

Authors and Affiliations

  1. Department of Information Management, Central Police University, Taoyuan City, 333, Taiwan, ROC

    Da-Yu Kao & Yuan-Pei Chan

Authors
  1. Da-Yu Kao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuan-Pei Chan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Da-Yu Kao .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Information Engineering, National Dong Hwa University, Hualien, Taiwan

    Sheng-Lung Peng

  2. Department of Information Management, Central Police University, Taoyuan, Taiwan

    Shiuh-Jeng Wang

  3. Department of Automation and Applied Informatics, Faculty of Engineering, Aurel Vlaicu University of Arad, Arad, Romania

    Valentina Emilia Balas

  4. School of Computer Technology, Jingzhou, China

    Ming Zhao

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kao, DY., Chan, YP. (2018). Identifying Temporal Patterns Using ADS in NTFS for Digital Forensics. In: Peng, SL., Wang, SJ., Balas, V., Zhao, M. (eds) Security with Intelligent Computing and Big-data Services. SICBS 2017. Advances in Intelligent Systems and Computing, vol 733. Springer, Cham. https://doi.org/10.1007/978-3-319-76451-1_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76451-1_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76450-4

  • Online ISBN: 978-3-319-76451-1

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation