Notifications
Clear all

EnCase "Single Files" and file creation dates

4 Posts
2 Users
0 Likes
1,062 Views
(@pakrfan66)
Posts: 2
New Member
Topic starter
 

Hello,

I currently have a case that I am working on pertaining to images recovered from an external hard drive. Upon reading the forensic report, there is a section called "Archive File" and a list of "Single Files". There are 14 file names in this "Single File" directory and although the file names are different, the file creation date and timestamp are all the same. For example

\Single Files\Deerhungimage1.jpg File created 08/25/2014 042525PM

Since all of these files have the same date and timestamp, I am assuming that these images were copied from one hard drive to the external hard drive? Or, is there an issue of possible contamination of evidence since the file creation date was after the suspect was in custody and evidence seized?

 
Posted : 29/08/2015 6:20 pm
pr3cur50r
(@pr3cur50r)
Posts: 28
Eminent Member
 

I'm sorry but could you provide more information?

1 Have you actually examined the device or are you just making assumptions based on a report you're reading?

2 Where did these images originate?

3 Are there any other versions of these images anywhere else, on a PC, another device?

4 The images could have all been extracted from a compound folder at the same time, the dates and times could have been produced by copying from another device, yes. Contamination? That's all down to the processes followed by the practitioners, do you have reason to doubt this?

 
Posted : 30/08/2015 11:28 am
(@pakrfan66)
Posts: 2
New Member
Topic starter
 

I have not examined the devices yet. I am still waiting on a confirmation date to do so. Reports were provided and the majority of the image file creation dates were after the suspect was in custody and so that is why the date time stamp issue was raised. There are no other areas on the PCs that these images were found. It is possible that the images were extracted from Archive Folder (compound folder) and thus the date time stamps are the same. With that being said, how would we find the true file creation dates?

The reason why the possible contamination issue was raised is because there is some reason to believe the investigation process was botched. That is all I know at this point.

 
Posted : 30/08/2015 6:17 pm
pr3cur50r
(@pr3cur50r)
Posts: 28
Eminent Member
 

I think the report sounds a little vague in order to draw any meaningful answers. If your only evidential item is this external drive, then there's probably not much else you're going to gleam from the dates and times on that device.

The first things i'd be looking at are

1 Which Computer(s) was the drive connected to?

Identify this and focus on this system or systems.

2 Are the dates and times on these systems correct at the point of your examination, were they correct at the point of the previous examination and do you have someone speaking to this?

Check Forensic Report, all LE reports should have this included.

3 If they were extracted from a Rar file or such like, then there should be either original files or an existing trace on the computer used to compress the files.

Search the file names on the target systems, check registry, recycle bin, unallocated etc.

4 If it was botched, then good luck with finding any true created times and dates, the integrity of the data would have already been compromised and all you can speak to is that the data exists there on that drive and nothing else.

Look at all activity on your target systems on the date in which the images were created.

Unfortunately we are unable to rely on the date and time information on your external device as it stands. So further investigation is required to ascertain where these were produced. Another avenue is to look at potential archive artefacts/log files to see if there is any record within software of these file names.

Sorry if i've gone round in circles a bit but there really isn't much you can say about dates and times without further examination of an actual computer system. I hope this will have given some help as to when you actually do your examination. )

 
Posted : 31/08/2015 3:50 am
Share: