Authors: Mridul Sankar Barik (Jadavpur University), Gaurav Gupta (KPMG), Shubhro Sinha (Bengal Engineering and Science University), Alok Mishra (Bengal Engineering and Science University), Chandan Mazumdara (Jadavpur University)
DFRWS USA 2007
Abstract
As electronic documents become more important and valuable in the modern era, attempts are invariably made to take undue-advantage by tampering with them. Tampering with the modification, access and creation date and time stamps (MAC DTS ) of digital documents pose a great threat and proves to be a major handicap in digital forensic investigation. Authentic date and time stamps (ADTS ) can provide crucial evidence in linking crime to criminal in cases of Computer Fraud and Cyber Crimes (CFCC ) through reliable time lining of digital evidence. But the ease with which the MAC DTS of stored digital documents can be changed raises some serious questions about the integrity and admissibility of digital evidence, potentially leading to rejection of acquired digital evidence in the court of Law. MAC DTS procedures of popular operating systems are inherently flawed and were created only for the sake of convenience and not necessarily keeping in mind the security and digital forensic aspects. This paper explores these issues in the context of the Ext2 file system and also proposes one solution to tackle such issues for the scenario where systems have preinstalled plug-ins in the form of Loadable Kernel Modules, which provide the capability to preserve ADTS.