Notifications
Clear all

Date Analysis

3 Posts
3 Users
0 Likes
331 Views
(@gk-forensics)
Posts: 6
Active Member
Topic starter
 

Hi all,
I have an issue on an NTFS drive which was used a storage media drive (non OS installed). I have a main folder which has created and last modified date to be the same and only have two hours difference. This is explicable due to the included data size. But I have found in the folder some other files and folders that have post dates to the head folder. These dates are not only last accessed dates but they are also created dates and entry modified dates.

Thank you all in advance for your replies.

George

 
Posted : 16/12/2014 1:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

NOT what you asked for, but maybe *somewhere* between the lines of this experiment something related can be found
http//reboot.pro/topic/19746-queer-ntfs-andor-xp-behaviour/

and as well the "original" paper
http//www.forensicfocus.com/Forums/viewtopic/t=9329/
http//www.forensicfocus.com/Forums/viewtopic/p=6560130/#6560130
http//www.forensicfocus.com/Forums/viewtopic/p=6560457/#6560457
http//www.grierforensics.com/pdf/Detecting_Data_Theft_Using_Stochastic_Forensics.pdf
may contain something of use. ?

jaclaz

 
Posted : 16/12/2014 7:02 pm
(@athulin)
Posts: 1156
Noble Member
 

Hi all,
I have an issue on an NTFS drive which was used a storage media drive (non OS installed). I have a main folder which has created and last modified date to be the same and only have two hours difference. This is explicable due to the included data size.

Sorry – I don't see why data size should have any effect on time stamps. What am I missing?

But I have found in the folder some other files and folders that have post dates to the head folder. These dates are not only last accessed dates but they are also created dates and entry modified dates.

It would help if you explained what it is that bothers you about this. (Have you made tests and not been able to reproduce the results, perhaps?)

If you have been able to eliminate certain types of use cases (say, like unpacking a PKZIP archive with full NTFS timestamp restoration, or a backup restore or … ), that would also be helpful to know.

If the drive was used in some kind of NAS system, you probably also have to factor in what applications provided access to the file system. SAMBA or other CIFS utility I assume, but you could also have rsync, web file access, FTP, P2P software, and perhaps even various cloud services … etc. Timestamp restoration from archived files has already been metioned. And if that storage system wasn't Windows-based, you can't necessarily fall back on any research based on Windows/Microsoft timestamping.

It's not until you know how each of those possible 'ways-of-getting-a-timestamp' behave in the particular system (not just the disk, but the full system) you are examining that you can really say anything solid about the situation – well, at least as far as I can see from your description.

 
Posted : 20/12/2014 3:07 pm
Share: