In computer forensics, digital evidence related to time is both important and complex. The rules of changes in time associated with digital evidence, such as files or folders, can be used to analyze certain user behaviors like data access, modification or transfer. However, the format and the rules in time information for user actions are quite different for different file systems, even for different versions of operating systems with the same file system.
Some research on temporal analysis has already been done on NTFS and FAT file systems, while there are few resources that describe temporal analysis on the Hierarchical File System Plus (HFS+), the default file system in Apple computer. Moreover, removable devices like USB disks are used frequently; transferring files and folders between different devices with different file systems and operating systems happens more and more frequently, so the changes of times across different file systems are also crucial in digital forensics and investigations.
In this research, the changes in time attributes of files and folders resulting from user actions on the HFS+ file system and across file systems are analyzed, and the rules of time are generated by inductive reasoning to help reconstruct crime scenes in the digital forensic investigation. Since inductive reasoning is not definitely true compared with deductive reasoning, experiments are performed to validate the rules. The usage of the rules is demonstrated by analyzing a case in details. The methods proposed here are efficient, practical and easy to put into practice in real scenarios. / published_or_final_version / Computer Science / Master / Master of Philosophy
Identifer | oai:union.ndltd.org:HKU/oai:hub.hku.hk:10722/192867 |
Date | January 2013 |
Creators | Wang, Mengmeng, 王萌萌 |
Contributors | Chow, KP |
Publisher | The University of Hong Kong (Pokfulam, Hong Kong) |
Source Sets | Hong Kong University Theses |
Language | English |
Detected Language | English |
Type | PG_Thesis |
Source | http://hub.hku.hk/bib/B50900122 |
Rights | The author retains all proprietary rights, (such as patent rights) and the right to use in future works., Creative Commons: Attribution 3.0 Hong Kong License |
Relation | HKU Theses Online (HKUTO) |
Page generated in 0.0017 seconds