Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
IEEEARES
2008
IEEE
2008
IEEE
Finding Evidence of Antedating in Digital Investigations
— Finding evidence of antedating is an important goal in many digital investigations. This paper explores how causality can expose antedating by investigating storage systems for causality and correlate causality with stored timestamps. Causality is determined in two different system types; storage systems using sequence numbers and storage systems using the first-fit allocation strategy. Causality found in these systems was used to implement a timestamp consistency checker for the NTFS file system. The implementation was then tested in an experiment, in which four subjects were asked to antedate a document on a given computer in such a way that the antedating could not be determined by an investigator. The results from this experiment show that the implemented consistency checker can be used to expose antedating. Investigators can use this method to find evidence of antedating to be presented to fact-finders in real cases.
Real-time Traffic| Added | 31 May 2010 |
| Updated | 31 May 2010 |
| Type | Conference |
| Year | 2008 |
| Where | IEEEARES |
| Authors | Svein Yngvar Willassen |
Comments (0)
Researcher Info
|
