Безопасность информационных технологий (Feb 2013)
Computer Forensics Method in Analysis of Files Timestamps in Microsoft Windows Operating System and NTFS File System
Abstract
All existing file browsers displays 3 timestamps for every file in file system NTFS. Nowadays there are a lot of utilities that can manipulate temporal attributes to conceal the traces of file using. However every file in NTFS has 8 timestamps that are stored in file record and used in detecting the fact of attributes substitution. The authors suggest a method of revealing original timestamps after replacement and automated variant of it in case of a set of files.