International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395-0056
Volume: 12 Issue: 12 | Dec 2025
p-ISSN: 2395-0072
www.irjet.net
An Artifact-Driven Framework for Detecting File Wiping and Timestamp Manipulation in NTFS Systems Gopika Gopalakrishnan1, Sreeja S C2, Lloyd K L3 1
Researcher, ER & DCIIT, CDAC, Trivandrum, Kerala, India Scientist E, Cyber Forensics Section, CDAC, Trivandrum, Kerala, India 3 Scientist E, Cyber Forensics Section, CDAC, Trivandrum, Kerala, India ------------------------------------------------------------------------***----------------------------------------------------------------------2
Abstract - The rise of sophisticated anti-forensic techniques, particularly file wiping tools and timestamp manipulation,
poses significant challenges to modern digital investigations by hindering the recovery and validation of critical evidence. These techniques are deliberately employed to obscure user activity, erase digital traces, and disrupt forensic timelines. This paper presents the development of an advanced anti-forensic detection methodology aimed at identifying and monitoring suspicious activities such as File wiping and Timestamp Manipulation. The paper presents multiple forensic analysis modules capable of parsing core NTFS artifacts such as $MFT, $Log File, and $UsnJrnl extracted from disk images. In addition, it incorporates Prefetch file analysis to detect the execution of known anti- forensic utilities. By correlating evidence across these sources, the tool enhances the capability of investigators to detect and interpret attempts to tamper with or eliminate digital evidence, thereby strengthening the integrity of forensic examinations. Experimental results highlight the importance of artifact-driven approaches in countering evolving anti-forensic threats. Key Words: Digital Forensics, File Wiping, Timestamp Ma- Manipulation, Prefetch,$UsnJrnl, $Log File
NTFS
Analysis,
Anti-Forensics,
1. INTRODUCTION Nowadays, cyber-attacks are becoming more frequent and sophisticated, so it is necessary to understand the techniques used by hackers to be able to carry out a correct forensic analysis leading to the identification of the perpetrators [1]. Antiforensic techniques have evolved significantly over the past decade, posing major challenges to digital forensic practitioners [2]. Among these techniques, file wiping has emerged as one of the most effective methods for permanently destroying digital evidence. Unlike standard file deletion, file wiping overwrites the physical disk sectors that once contained the file’s contents. This process may involve one or multiple overwrite passes using predictable patterns, making the recovery of residual magnetic traces extremely difficult, even with advanced hardware-based recovery technologies. As anti-forensic techniques or specific tool sari developed over time, the resulting associated traces will also change. While there normally appears to be a core group of relatively generic traces, signatures for anti- forensic techniques and programs will need to be maintained over time. While signature-based detection methods are like if a signature does not exist for each specific anti-forensic technique, then the technique cannot be detected. More data sources, such as Windows Restore Points and log files, should be included in the analysis [3]. Timestamp manipulation is another deliberate and strategic anti-forensic tactic employed to alter the recorded time-related metadata of files or folders on a digital storage system. Most modern file systems—such as NTFS (Windows), ext4 (Linux), or APFS (macOS)—maintain multiple types of timestamps for every file, including creation time, last modification time, last access time, and, in some systems, change time (i.e., when file metadata was last altered). These timestamps are critical for forensic investigators, as they help reconstruct timelines of user activity, file usage, system events, or potentially malicious behavior.
2. BACKGROUND Anti-forensic methods have a great impact on the reliability and integrity of digital forensic processes, posing major challenges to evidence recovery. File wiping is a highly secure and intentional method of data deletion, designed to render files completely unrecoverable—even by advanced forensic recovery techniques. Unlike standard file deletion, which merely removes the pointer or reference to the file in the operating system’s file system (such as the Master File Table or $MFT in NTFS), file wiping targets the actual physical location of the data on the storage medium. In a typical deletion, the data still resides on the disk and can often be recovered using forensic tools because the system only marks the space as” available” without immediately erasing the contents. Wiping, on the other hand, goes far beyond this superficial deletion. It directly overwrites the sectors where the file’s data was stored [4]. This can be done using single or multiple passes of
© 2025, IRJET
|
Impact Factor value: 8.315
|
ISO 9001:2008 Certified Journal
|
Page 1101