Timestamp Analysis of Windows File Systems by File Manipulation Operations

In digital forensics, the creation time, last modified time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, depending on the user's actions such as copy, transfer, or network transport of files. Specific changes of the time information may be of considerable help in analyzing the user's actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the NTFS and attempts to reconstruct the user's actions.