ADS Analytics on NTFS Date-time Stamps for Event Reconstruction
碩士 === 中央警察大學 === 資訊管理研究所 === 107 === Alternate Data Stream (ADS) can be stored into existing files without affecting their functionality, size, or display. Executables in ADS can be executed from the command line. It is common for attackers to hide malware in cover media (files or folders) by ADS c...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | en_US |
| Published: |
2018
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/m2hamv |
| id |
ndltd-TW-107CPU00396003 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-107CPU003960032019-05-16T01:24:53Z http://ndltd.ncl.edu.tw/handle/m2hamv ADS Analytics on NTFS Date-time Stamps for Event Reconstruction 利用NTFS上附加資料流的時間戳記進行事件重建 CHEN, YUAN-PEI 陳元培 碩士 中央警察大學 資訊管理研究所 107 Alternate Data Stream (ADS) can be stored into existing files without affecting their functionality, size, or display. Executables in ADS can be executed from the command line. It is common for attackers to hide malware in cover media (files or folders) by ADS creation, modification or overwriting. The storage and handling of ADS in New Technology File System (NTFS) have posted significant challenges for Law Enforcement Agencies (LEAs). However, processing the content of $DATA will update some metadata attributes such like date-time stamp in files, which leave a trace for further investigation. The temporal information is significant when the computer is on. This study utilizes files/folders as cover mediums to embed ADS. The experiment results demonstrate the effectiveness of temporal patterns for digital forensics across various types of file operations. The study of file metadata and ADS manipulation assists in establishing timestamp patterns and correlating activities from timestamp evidence. Some experimental processes were conducted to identify EMAC-time stamps in $STANDARD_INFORMATION ($SI) and $FILE_NAME ($FN), collect experimental observations in Master File Table (MFT), examine hidden channels, analyze timeline scenario, and present artifacts and non-artifacts to reconstruct the incident. This study explores the temporal analysis facing the law enforcement community and discusses the application of Forensic Toolkit (FTK) software to copy with the increasingly ADS feature in digital forensic investigations. This study also establishes some timestamp rules on ADS manipulation, enhances the performance of investigations, and helps investigators reconstruct an incident. It is beneficial for investigators to evaluate an accident if an attacker has manipulated ADS to conceal his offense. Kao, Da-Yu 高大宇 2018 學位論文 ; thesis 43 en_US |
| collection |
NDLTD |
| language |
en_US |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 中央警察大學 === 資訊管理研究所 === 107 === Alternate Data Stream (ADS) can be stored into existing files without affecting their functionality, size, or display. Executables in ADS can be executed from the command line. It is common for attackers to hide malware in cover media (files or folders) by ADS creation, modification or overwriting. The storage and handling of ADS in New Technology File System (NTFS) have posted significant challenges for Law Enforcement Agencies (LEAs). However, processing the content of $DATA will update some metadata attributes such like date-time stamp in files, which leave a trace for further investigation. The temporal information is significant when the computer is on. This study utilizes files/folders as cover mediums to embed ADS. The experiment results demonstrate the effectiveness of temporal patterns for digital forensics across various types of file operations.
The study of file metadata and ADS manipulation assists in establishing timestamp patterns and correlating activities from timestamp evidence. Some experimental processes were conducted to identify EMAC-time stamps in $STANDARD_INFORMATION ($SI) and $FILE_NAME ($FN), collect experimental observations in Master File Table (MFT), examine hidden channels, analyze timeline scenario, and present artifacts and non-artifacts to reconstruct the incident. This study explores the temporal analysis facing the law enforcement community and discusses the application of Forensic Toolkit (FTK) software to copy with the increasingly ADS feature in digital forensic investigations. This study also establishes some timestamp rules on ADS manipulation, enhances the performance of investigations, and helps investigators reconstruct an incident. It is beneficial for investigators to evaluate an accident if an attacker has manipulated ADS to conceal his offense.
|
| author2 |
Kao, Da-Yu |
| author_facet |
Kao, Da-Yu CHEN, YUAN-PEI 陳元培 |
| author |
CHEN, YUAN-PEI 陳元培 |
| spellingShingle |
CHEN, YUAN-PEI 陳元培 ADS Analytics on NTFS Date-time Stamps for Event Reconstruction |
| author_sort |
CHEN, YUAN-PEI |
| title |
ADS Analytics on NTFS Date-time Stamps for Event Reconstruction |
| title_short |
ADS Analytics on NTFS Date-time Stamps for Event Reconstruction |
| title_full |
ADS Analytics on NTFS Date-time Stamps for Event Reconstruction |
| title_fullStr |
ADS Analytics on NTFS Date-time Stamps for Event Reconstruction |
| title_full_unstemmed |
ADS Analytics on NTFS Date-time Stamps for Event Reconstruction |
| title_sort |
ads analytics on ntfs date-time stamps for event reconstruction |
| publishDate |
2018 |
| url |
http://ndltd.ncl.edu.tw/handle/m2hamv |
| work_keys_str_mv |
AT chenyuanpei adsanalyticsonntfsdatetimestampsforeventreconstruction AT chényuánpéi adsanalyticsonntfsdatetimestampsforeventreconstruction AT chenyuanpei lìyòngntfsshàngfùjiāzīliàoliúdeshíjiānchuōjìjìnxíngshìjiànzhòngjiàn AT chényuánpéi lìyòngntfsshàngfùjiāzīliàoliúdeshíjiānchuōjìjìnxíngshìjiànzhòngjiàn |
| _version_ |
1719176158837211136 |