Finding Evidence of Antedating in Digital Investigations

  title={Finding Evidence of Antedating in Digital Investigations},
  author={Svein Yngvar Willassen},
  journal={2008 Third International Conference on Availability, Reliability and Security},
Finding evidence of antedating is an important goal in many digital investigations. This paper explores how causality can expose antedating by investigating storage systems for causality and correlate causality with stored timestamps. Causality is determined in two different system types; storage systems using sequence numbers and storage systems using the first-fit allocation strategy. Causality found in these systems was used to implement a timestamp consistency checker for the NTFS file… CONTINUE READING
Highly Cited
This paper has 17 citations. REVIEW CITATIONS

3 Figures & Tables