DiskForge: Timestomping on Disk Images for Educational Benefit

DiskForge: Timestomping on Disk Images for Educational Benefit

연구 분야: Analysis

학회: Digital Threats: Research and Practice

Despite many advances in automatic exercise generation tools in digital forensics, many disk images for training and education are still manually created. The resulting disk images are commonly useful, but often need to be adapted because of the need to scrub artifacts of the generation process or adapt file contents or timestamps for evidence individualization. Since common forensics tools do not allow easy editing of evidence, we present DiskForge, an extensible framework for performing small changes to disk images in educational circumstances. DiskForge combines the typical parsing functionalities from disk forensics tools and combines them with the option to update and edit structures within the disk. To demonstrate the applicability of DiskForge, we instantiate the framework for the use case of timestomping, i.e., changing timestamps in file system metadata, log files, and SQLite databases. For each of these instances, we demonstrate the new level of ease and precision for timestamp manipulation on disk images. Our evaluation, however, also highlights the fragile nature of timestamp interpretation in current forensic tooling, and ultimately that creating perfect forgeries is harder than merely changing bits on disk.