DiskForge: Timestomping on Disk Images for Educational Benefit

Pohl N, Voigt L, Hargreaves CJ, Fein C, Freiling F (2025)

Publication Language: English

Publication Type: Journal article

Publication year: 2025

Journal

Digital Threats: Research and Practice ACM Digital Library

Article Number: 3748265

DOI: 10.1145/3748265

Open Access Link: https://dl.acm.org/doi/10.1145/3748265

Abstract

Despite many advances in automatic exercise generation tools in digital forensics, many disk images for training and education are still manually created. The resulting disk images are commonly useful, but often need to be adapted because of the need to scrub artifacts of the generation process or adapt file contents or timestamps for evidence individualization. Since common forensics tools do not allow easy editing of evidence, we present DiskForge, an extensible framework for performing small changes to disk images in educational circumstances. DiskForge combines the typical parsing functionalities from disk forensics tools and combines them with the option to update and edit structures within the disk. To demonstrate the applicability of DiskForge, we instantiate the framework for the use case of timestomping, i.e., changing timestamps in file system metadata, log files, and SQLite databases. For each of these instances, we demonstrate the new level of ease and precision for timestamp manipulation on disk images. Our evaluation, however, also highlights the fragile nature of timestamp interpretation in current forensic tooling, and ultimately that creating perfect forgeries is harder than merely changing bits on disk.

Authors with CRIS profile

Lena Voigt Graduiertenkolleg 2475/2 - Cyberkriminalität und Forensische Informatik Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

Related research project(s)

GRK2475: Cyberkriminalität und Forensische Informatik (GRK 2475) Oct. 1, 2019 - Sept. 30, 2028

Involved external institutions

Albstadt-Sigmaringen University DE Germany (DE) University of Oxford GB United Kingdom (GB)

How to cite

APA:

Pohl, N., Voigt, L., Hargreaves, C.J., Fein, C., & Freiling, F. (2025). DiskForge: Timestomping on Disk Images for Educational Benefit. Digital Threats: Research and Practice. https://doi.org/10.1145/3748265

MLA:

Pohl, Niclas, et al. "DiskForge: Timestomping on Disk Images for Educational Benefit." Digital Threats: Research and Practice (2025).

BibTeX: Download