A Forensic Timeline Reconstruction and Timestamp Manipulation Detection Tool for File Systems in an Infected Environment

Authors

  • Rajalakshmi A Assistant Professor, Dept. of CSE, National Engineering College, Kovilpatti, Tamilnadu, India. Author
  • Sounder Raj M UG Scholar, Dept. of CSE, National Engineering College, Kovilpatti, Tamilnadu, India. Author
  • Koushika Ram G UG Scholar, Dept. of CSE, National Engineering College, Kovilpatti, Tamilnadu, India. Author
  • Sudhanfrancis M UG Scholar, Dept. of CSE, National Engineering College, Kovilpatti, Tamilnadu, India. Author
  • Arul N V UG Scholar, Dept. of CSE, National Engineering College, Kovilpatti, Tamilnadu, India. Author
  • Lohesh R S UG Scholar, Dept. of CSE, National Engineering College, Kovilpatti, Tamilnadu, India. Author

DOI:

https://doi.org/10.47392/IRJAEH.2026.0009

Keywords:

Digital forensics, NTFS, timeline reconstruction, timestamp manipulation, anti-forensics, credential extraction, malware detection, file integrity, forensic automation, evidence validation

Abstract

System Syndicate is a digital forensic analysis platform aimed at providing post-incident reconstruction, securing user behavior profiling, validating the integrity of evidence, and plotting a timeline of events.  It generates objectively demonstrable outputs without probabilistic heuristics by utilizing a deterministic, artifact-driven analysis, producing verifiable and legally defensible artifacts. It offers nine workflow modules, secure NTFS explorations, high-resolution timelines, browser and activity extraction, static malware detection, credential enumerations, search of keyword(s) across disk space, targeted artifact extractions, hash comparison with relevant threat intelligence, and integrity verification through cryptographic checking.  Avoiding probabilistic heuristics and ambiguous observations, the NTFS timestamp manipulation engine detects, identifies, and infers whether timestamps were forged or manipulated through advanced parsing of $LogFile and $UsnJrnl against $MFT, $INDX, and LNK metadata to substantiate covert and overt instances of tampering.  Created by DFIR professionals for DFIR professionals, System Syndicate's outputs can be compiled into thorough and explanatory reports, utilizing PDF formats, in a chain-of-custody format, which demonstrates and outlines both the evidence and reporting of anomalies, timeline graphs, hash mismatches, manipulated timestamps, and recovered credentials.  There is nothing like it on the global market; the standard for a deterministic and non-AI-based investigative and forensic reconstruction artifact, which even provides greater system visibility in the area of cryptographic evidence.

Downloads

Download data is not yet available.

Downloads

Published

2026-01-05

Issue

Vol. 4 No. 01 (2026): IRJAEH Vol.04 Issue 01- [January 2026]

Section

Research Articles

License

Copyright (c) 2026 International Research Journal on Advanced Engineering Hub (IRJAEH)

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

How to Cite

A Forensic Timeline Reconstruction and Timestamp Manipulation Detection Tool for File Systems in an Infected Environment . (2026). International Research Journal on Advanced Engineering Hub (IRJAEH), 4(01), 63-71. https://doi.org/10.47392/IRJAEH.2026.0009

Similar Articles

1-10 of 549

You may also start an advanced similarity search for this article.