Title :
Global Analysis of Drive File Times
Author :
Rowe, Neil C. ; Garfinkel, Simson L.
Author_Institution :
U.S. Naval Postgrad. Sch., Monterey, CA, USA
Abstract :
Global analysis is a useful supplement to local forensic analysis of the details of files in a drive image. This paper reports on experiments with global methods to find time patterns associated with disks and files. The Real Disk Corpus of over 1000 drive images from eight countries was used as a corpus. The data was clustered into 63 subsets based on file and directory type, and times were analyzed statistically for each subset. Fourteen important subsets of the files were identified based on their times, including default times (zero, low-default, high-default, and on the hour), bursts of activity (one-time, periodic in the week, and periodic in the day), and those having particular equalities or inequalities between any two of creation, modification, and access times. Using overall statistics for each drive, fourteen kinds of drive usage were recognized such as a business operating primarily in the evening. Additional work examined the connection between file times and registry times, and proposed adapting these methods to sampled rather than complete data is discussed.
Keywords :
computer forensics; file organisation; pattern clustering; data clustering; drive file times; drive image; global analysis; local forensic analysis; real disk corpus; time patterns; Clocks; Cryptography; Data analysis; Data mining; Digital forensics; Drives; Feature extraction; Image analysis; Pattern recognition; Statistics; clusters; diurnal; drive images; forensics; registry; timestamps; triage;
Conference_Titel :
Systematic Approaches to Digital Forensic Engineering (SADFE), 2010 Fifth IEEE International Workshop on
Conference_Location :
Oakland, CA
Print_ISBN :
978-0-7695-4052-8
DOI :
10.1109/SADFE.2010.21
