@inproceedings{galhuber_time_2021, address = {New York, NY, USA}, series = {{ARES} 2021}, title = {Time for {Truth}: {Forensic} {Analysis} of {NTFS} {Timestamps}}, copyright = {All rights reserved}, url = {http://eprints.cs.univie.ac.at/7091/}, doi = {10/gnhmbb}, abstract = {Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.}, booktitle = {The 16th {International} {Conference} on {Availability}, {Reliability} and {Security}}, publisher = {Association for Computing Machinery}, author = {Galhuber, Michael and Luh, Robert}, year = {2021}, keywords = {FH SP Cyber Security, Institut für IT Sicherheitsforschung, Konferenz-Paper, Vortrag, best, peer-reviewed}, }