File Time Stamp Cha...
 
Notifications
Clear all

File Time Stamp Change Detection

3 Posts
2 Users
0 Likes
641 Views
(@detom)
Posts: 5
Active Member
Topic starter
 

I am doing some forensic exercises and am uncertain about detecting timestamp tampering/forgery. The files were created on an SD card on a mobile device(blackberry OS 7) so I assume it's a FAT 32 file system. Due to FAT32 having timestamp resolution up to 2 seconds and to 10 milliseconds for created date, how would one go about determining if the timestamp has been modified ?

My second question is that the SD card contents has been extracted via a cell phone data extraction tool - mobiledit/XRY through a logical extraction and then burnt to a cd and handed to me.

The created date on the file bears the timestamp that the cd was burnt on BUT the millisecond part of the created date/time is .0000000. i.e. 11/21/2010 82424 AM.0000000 (I'm viewing the file on a system with NTFS filesystem).

My question is that shouldn't the millisecond value still be there for 2 decimal places instead of zeros ?

Thanks in advance

 
Posted : 10/11/2015 5:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The files were created on an SD card on a mobile device(blackberry OS 7) so I assume it's a FAT 32 file system.

Why should you "assume" that?

I mean, you either "verify" it or you "guess" it.

FAT32 is more likely, but - in theory - it could be FAT16
http//support.blackberry.com/kb/articleDetail?ArticleNumber=000005461

My second question is that the SD card contents has been extracted via a cell phone data extraction tool - mobiledit/XRY through a logical extraction and then burnt to a cd and handed to me.

If a SD card is the source what you should have is not a logical extraction, but rather a physical image of the SD card, or however an image of the original filesystem.

The created date on the file bears the timestamp that the cd was burnt on BUT the millisecond part of the created date/time is .0000000. i.e. 11/21/2010 82424 AM.0000000 (I'm viewing the file on a system with NTFS filesystem).

My question is that shouldn't the millisecond value still be there for 2 decimal places instead of zeros ?

I am not sure to get it.

The CD has an own filesystem (most probably - and now it's my turn to take a guess - CDFS but could well be UDF) which may (or may not) have a different timestamp precision, and JFYI
http//www.forensicfocus.com/Forums/viewtopic/t=5788/
ISO9660/CDFS has seemingly 1/100 second resolution
http//alumnus.caltech.edu/~pje/iso9660.html
but the actual precision might depend on the actual tool that created the CD or .iso (or its settings), usually files on CD have year/month/day/hour/minute/second/.000000+*** when viewed through WMI on Windows.

What connection has the fact that you are viewing the file on a system with NTFS filesystem?
Or did you copy the file from CD to the NTFS filesystem?

jaclaz

 
Posted : 10/11/2015 7:51 pm
(@detom)
Posts: 5
Active Member
Topic starter
 

Thankyou so much for the reply. I was totally ignorant that CD's used a different file system.

Regarding the extraction - what I have is a .xry file which I was told was done via a logical extraction.

Thanks again.

 
Posted : 11/11/2015 9:13 pm
Share: