Data

Tools

Indexes

Applications

Experiments

Open Source Science

timestampanalyser

Analyses the time-stamps in an NTFS MFT to reverse-engineer what could have happened at those times.

https://github.com/jellebouma/timestampanalyser

Science Score: 67.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
    Found 1 DOI reference(s) in README
  • Academic publication links
    Links to: acm.org
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (9.5%) to scientific vocabulary
Last synced: 10 months ago · JSON representation ·

Repository

Analyses the time-stamps in an NTFS MFT to reverse-engineer what could have happened at those times.

Basic Info
  • Host: GitHub
  • Owner: JelleBouma
  • Language: Java
  • Default Branch: master
  • Homepage:
  • Size: 83 KB
Statistics
  • Stars: 1
  • Watchers: 1
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created about 5 years ago · Last pushed almost 2 years ago
Metadata Files
Readme Citation

README.md

Time-stamp Analyser

Each file in NTFS (the Windows filesystem) has eight time-stamps. The Time-stamp Analyser aids forensic investigators by comparing the time-stamps of a file to known effects of file operations to determine what could have happened at those times.

The problem solved by this tool

Traditionally analysis of time-stamps was done by hand where rules would be derived from known effects of file operations. When operations need to be added or removed from the operation overview (for example, due to a Windows update), then every rule will need to be re-evaluated. Furthermore, comparing these rules with time-stamps is still a complex process which can easily lead to human error, due to the large amount of possible time-stamp changes that need to be considered.

To solve both these problems, the Time-stamp Analyser automatically analyses the time-stamps in an NTFS MFT to reverse-engineer what could have happened at those times.

Usage

The Time-stamp Analyser takes an MFT (Master File Table) as input and compares these to the known effects of file operations in OperationList.java It outputs a text file that contains possible operations that happened at the time-stamps. https://github.com/eddyvdaker/NTFS-Timestamp-Visualizer is a tool which visualizes this text file.

Parameters

  • input MFT file
  • output file
  • (optional) MFT entry size in bytes, default is 1024
  • (optional) filter: all (default), deleted (only deleted files), irregular only files with time-stamps that don't match any normal file operation.
  • (optional) priority: regular to consider forgery operations only when non-forgery file operations can not be matched (default), equal to consider forgery file operations always.
  • (optional) list of indexes or file names to be analysed seperated by |. By default every file is analysed.

More information

Paper regarding this method and tool here: https://dl.acm.org/doi/fullHtml/10.1145/3600160.3605027 Even more information can be found in my thesis: https://www.open.ou.nl/hjo/supervision/2019-jelle.bouma-bsc-thesis.pdf

Furthermore, any questions can be asked in the Issues section or in an e-mail to me.

Owner

  • Name: Jelle Bouma
  • Login: JelleBouma
  • Kind: user
  • Location: Fryslân

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it as below."
authors:
- family-names: "Bouma"
  given-names: "Jelle"
title: "Time-stamp Analyser"
version: 1.0.1
date-released: 2023-03-16
url: "https://github.com/JelleBouma/TimestampAnalyser"

GitHub Events

Total
Last Year

Dependencies

pom.xml maven