Enhancement of forensic capabilities of the linux kernel via file timestamp preservation

摘要

The National Institute of Standards and Technology [1] lists the importance of preservation of file time stamps for forensic and intrusion detection purposes. Most operating systems keep track of certain timestamps related to files, the most commonly used timestamps being modification, access, er, UNIX based Operating systems retain the last modification, last inode change, and last access times. This relates to the fact that operating systems only have the most recently updated file timestamp information, which along with any inaccuracies does not guarantee a successful recreation of timeline of events, for an effective incident response. This paper proposes a novel approach in terms of augmenting the core of pathname lookup operation in the LINUX kernel, towards accurate and authentic preservation of file time stamps of system wide critical files.