File Allocation Chronology and its Impact on Digital Forensics

Event construction and sequencing are integral to the digital investigation process to build a sound case and admissible evidence. When dealing with deleting files, forged files, or file fragments, an investigator might not be able to consider many key artifacts because of forged or missing timestamps. In this work, we are investigating the applicability of using neighboring files to infer a timestamp of a key artifact using a real data set of over a thousand hard drives focusing on FAT drives. We performed an empirical study using the Real Data Set to understand the adjacent files' chronology and present our findings in this research.