Kernel-Level Real-Time Detection of Timestamp Manipulation on Android for Anti-Forensics Resistance 


Vol. 15,  No. 4, pp. 298-305, Apr.  2026
https://doi.org/10.3745/TKIPS.2026.15.4.298


PDF
  Abstract

Manipulation of system time or file timestamps is a well-known anti-forensics technique that undermines the reliability of digital forensic investigations. Existing approaches that detect timestamp manipulation primarily rely on system logs, implicitly assuming their trustworthiness and often failing to provide real-time detection. This paper proposes a kernel-level, real-time detection technique for identifying timestamp manipulation events on Android devices. The proposed approach leverages extended Berkeley Packet Filter (eBPF) to monitor system time modification events at the kernel level, while simultaneously employing the inotify API to observe file timestamp changes in user space. By correlating events collected across these layers, the system verifies the integrity of temporal information and detects inconsistencies indicative of timestamp manipulation. Experimental results demonstrate that the proposed technique effectively detects timestamp manipulation attempts performed via system applications and adb shell commands. Compared to existing log-based approaches, the proposed method provides improved resistance against anti-forensics techniques by ensuring reliable, real-time timestamp integrity verification.

  Statistics
  Cite this article

[IEEE Style]

G. Ahn, S. Ann, S. Cho, "Kernel-Level Real-Time Detection of Timestamp Manipulation on Android for Anti-Forensics Resistance," The Transactions of the Korea Information Processing Society, vol. 15, no. 4, pp. 298-305, 2026. DOI: https://doi.org/10.3745/TKIPS.2026.15.4.298.

[ACM Style]

Gyun-Seong Ahn, Seokhyun Ann, and Seong-Je Cho. 2026. Kernel-Level Real-Time Detection of Timestamp Manipulation on Android for Anti-Forensics Resistance. The Transactions of the Korea Information Processing Society, 15, 4, (2026), 298-305. DOI: https://doi.org/10.3745/TKIPS.2026.15.4.298.

Forms

Search
(IN TITLE, AUTHOR, ABSTRACT,KEYWORDS)

Advanced Search

POPULAR KEYWORDS
(TOP 10 KEYWORDS)

Recent Publications
(LAST 3 YEARS)

Old Journals

Indexing

All publications of TKIPS is indexed in DOI, EBSCO, Google Scholar, Crossref, and CrossCheck.

TKIPS is also selected as the Journal for Accreditation by NRF (National Research Foundation of Korea).

Related Journals