Authors: Ahmed Bahjat and Jim Jones
DFRWS EU 2019
Abstract
Timestamps play a substantial role during digital forensic investigations and address two main objectives. First, they serve as a primary culling criterion to reduce the amount of digital evidence subject to analysis. Second, timestamps are the sole feature that allows reliable reconstruction of time-lines and they assist in locating temporal anomalies. File fragments, typically from previously deleted or relocated content, are often useful, especially when intact files are unavailable. Such fragments rarely contain embedded timestamps or have file-system timestamp information, which renders them less useful. In this work, We investigate and propose a framework for determining time-window for deleted file fragments that are typically found in un-allocated space and file slack. We hypothesize that using the known temporal state of neighboring clusters allows us to derive a date-and-time range for when the file fragment was first written to media until it was subsequently deleted.