Once you start analyzing the MFT, you'll realize that file records contain a lot more dates than you first thought. However, I suspect what you're seeing is internal file metadata. I don't know about AutoCad per se, but many files (e.g., MS Office) contain their own internal time stamps (e.g., creation, last printed) that are independent of the file system in which the files are stored. For a file that was created in place (as opposed to copied from another system), one would expect the timestamps to be almost identical, when corrected for time zone. However, if files are copied from an external source, the creation time may vary wildly, as the semantics of internal metadata are different from file system metadata.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

Tucker,

it seems that this is the case (internal file metadata). Is there a way to see the history of actions made to a file (if the file was moved, times and data of openings, etc)?  

Now you're getting into territory that requires real expertise and a thorough understanding of how Windows works and the artifacts it leaves behind in NTFS. Unfortunately, there's no simple journal that lists all that information. If this is critically important to your case, you'll have to piece together a narrative that fits the facts, and it's an iterative process.

Start with a hypothesis -- what do you think might have happened to this file? Then examine artifacts that will either prove or disprove your hypothesis, refining your hypothesis depending on where the evidence leads you. You may end up examining USBSTOR keys, MRU lists, LNK shortcuts, restore points, and possibly even the MFT/$USNJrnl/$Logfile, which is a new research area but may allow you to deduce some history.

This is going to be complex stuff if you're new to forensics. Frankly, you may want to start by reading chapters 11-13 of Brian Carrier's book "File System Forensic Analysis."

Good luck.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

Tucker,

you are very kind. This is really fascinating. I'm new at foresncis, but I know I'm goint to learn a lot in this case. At this very moment, I'm creating a virtual machine of the raw image of the computer I'm investigating. I'll try some tools to examine the registry, hives and artifacts.

Thanks a lot for your help!  

as far as i know in windows OSes, and on NTFS filesystems when you COPY a file, a new timestamp is defined for the creation date of the target file, while the last modified date is inherited by the source file.
So it's not uncommon on windows formatted hard drive (especially those used for storage purposes) to see file where the creation date is later then the last modify date.
from this you can also infer that the file you are analyzing is most likely a copy of a file which was existing elsewhere and which wasn't edited after the copy process

correct me if i'm wrong.  

Rampage,

what you say seems to be the most likely scenario.