| Summary: | 碩士 === 中央警察大學 === 資訊管理研究所 === 107 === Alternate Data Stream (ADS) can be stored into existing files without affecting their functionality, size, or display. Executables in ADS can be executed from the command line. It is common for attackers to hide malware in cover media (files or folders) by ADS creation, modification or overwriting. The storage and handling of ADS in New Technology File System (NTFS) have posted significant challenges for Law Enforcement Agencies (LEAs). However, processing the content of $DATA will update some metadata attributes such like date-time stamp in files, which leave a trace for further investigation. The temporal information is significant when the computer is on. This study utilizes files/folders as cover mediums to embed ADS. The experiment results demonstrate the effectiveness of temporal patterns for digital forensics across various types of file operations.
The study of file metadata and ADS manipulation assists in establishing timestamp patterns and correlating activities from timestamp evidence. Some experimental processes were conducted to identify EMAC-time stamps in $STANDARD_INFORMATION ($SI) and $FILE_NAME ($FN), collect experimental observations in Master File Table (MFT), examine hidden channels, analyze timeline scenario, and present artifacts and non-artifacts to reconstruct the incident. This study explores the temporal analysis facing the law enforcement community and discusses the application of Forensic Toolkit (FTK) software to copy with the increasingly ADS feature in digital forensic investigations. This study also establishes some timestamp rules on ADS manipulation, enhances the performance of investigations, and helps investigators reconstruct an incident. It is beneficial for investigators to evaluate an accident if an attacker has manipulated ADS to conceal his offense.
|
|---|
