±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 12
Overall: 26994
Visitors: 78

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Windows Timestamps

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Windows Timestamps

Post Posted: Fri Mar 07, 2014 11:11 pm

I have done some "Google" research and still continuing to do "Google" research on understanding how timestamps work on the different Windows Files Systems. I figured I would make a post just to see if someone could point me in the right direction or has found documentation about this topic already.

What I'm trying to understand:

Depending on the action a user does to a file, what effects will it have on the MACB (Modify, Access, Created, and Born) timestamps. For example a word document,

*Creating a word document by right-clicking, going to new, Microsoft word document vs opening Microsoft word and saving it.

*Copying or cutting a document within the same Volume.

*Copying or cutting a document within a different Volume.

*renaming that document

*Opening without changing anything within that document

*Opening and changing something in that document.

*deleting that document.

*ect..

Please correct me if I'm wrong but the MACB timestamp behavior is going to depend on the File System so FAT, exFAT, and NTFS are all going to record these actions differently? Also would FAT12 vs FAT16 vs FAT32 have different MACB timestamp behaviors to or do they all work the same?

I know I could just test them all but I don't have the resource to do so. I also figured there are probably other factors that I having considered or even know about, so I'm hoping someone could point me in the right direction so I can farther educate myself on this topic.

Any suggestions would be greatly appreciated

thank you,

Steve  

shakes
Newbie
 
 
  

Re: Windows Timestamps

Post Posted: Sat Mar 08, 2014 12:41 am

Did you read the book File System Forensic Analysis by Brian Carrier?
I think, This book contains answers to your questions.
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 

Igor_Michailov
Senior Member
 
 
  

Re: Windows Timestamps

Post Posted: Sat Mar 08, 2014 2:05 am

File system forensics,as mentioned before. Also, look at some whitepapers by SANS.

But, I take issue with what you say, " know I could just test them all but I don't have the resource to do so."

The hell you don't. You have a computer, yes? Do you have a thumbdrive? Format it as FAT. Do the various actions you are asking about, and see what happens.

The reason I take issue is that digital forensics is not a learning discipline. You can't just read a book and be a digital investigator. It is a research discipline. You can read every book and whitepaper published, and every exam, you are going to find something new. What do you do? You can't come running to the forensic community every time. Then what is the point of you? No, you have to research and test. YOU are the one that discovers new things. YOU are the one that expands our field of knowledge.

Think about it. Sure, you can just sit back, and let someone tell you the answer to these questions. But, what if you do the test, and what if you see something that no one has seen before? You are missing the chance to not only learn the most valuable skill in our field (research), but you could be robbing the digital forensics community from a potentially valuable new find. Sure, to you it might be something interesting, but down the road it could mean everything to a case.

Bottom line, if you can do the research and testing for yourself, do it.

Terry  

twjolson
Senior Member
 
 
  

Re: Windows Timestamps

Post Posted: Sat Mar 08, 2014 2:35 am

- shakes
I figured I would make a post just to see if someone could point me in the right direction or has found documentation about this topic already.


Carrier's book on File System Forensics, already mentioned, is required reading. You'll find much of what you ask about there. At the same time, it should not be read uncritically. Things have changed, and new things have been noted since the book was published (2005) -- unfortunately, not all of them have been investigated at a level that could be called satisfactory.

Depending on the action a user does to a file, what effects will it have on the MACB (Modify, Access, Created, and Born) timestamps. For example a word document,


In a perfect world, someone would, of course, have formulated how that question is best answered, created a test battery, performed the tests for all significant revisions of the relevant file systems, at all levels of usage, and published them.

This is, however, not a perfect world.

Some, perhaps many of the questions you ask have been answered in a paper by Chow et al.: The Rules of Time on NTFS File System, presented at SADFE 2007, 2nd Intl. Workshop on Systematic Approaches to Digital Forensic Engineering, 2007, and published in the proceedings from that workshop. You can find the paper on line if you google for the title. (Other, related papers, typically cite that paper, so you can usually find related stuff by checking citation indexes -- if you have access to them. Academic libraries almost always do, but public libraries may not have them.)

Please correct me if I'm wrong but the MACB timestamp behavior is going to depend on the File System so FAT, exFAT, and NTFS are all going to record these actions differently?


It is best to assume so. The 'file system', i.e. the software module that does all this time stamping on some particular operating system platform will normally be different for different file systems.

However, as time stamping can usually be done by normal system calls, other software modules may add timestamping behaviour on top of that of the basic file system. In Windows, for example, Windows Shell adds such modification. Windows Shell is behind much of the GUI experience of Windows.

Also would FAT12 vs FAT16 vs FAT32 have different MACB timestamp behaviors to or do they all work the same?


FATx is usually regarded as one file system with three different on-disk storage formats.

I know I could just test them all but I don't have the resource to do so. I also figured there are probably other factors that I having considered or even know about, ...


Most forensic analysts don't have the time, or can't take the time, for such investigations. Time is money, and usually there's another job in the queue that gets precedence.

That's one reason why Carrier's book is so highly regarded.  

Last edited by athulin on Sat Mar 08, 2014 2:58 pm; edited 1 time in total

athulin
Senior Member
 
 
  

Re: Windows Timestamps

Post Posted: Sat Mar 08, 2014 5:37 am

Also, and NOT what you asked Shocked , since you made an example with a word document, do check this:
www.forensicfocus.com/...c/t=10627/
particularly corey_h's "cheatsheets":
www.forensicfocus.com/...8/#6567238

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Windows Timestamps

Post Posted: Mon Mar 10, 2014 5:08 am

Testing is always the required element if the date and time stamp is important to an examination. This, however, is a great reference to keeps available:

digital-forensics.sans...properties

Al  

alangille
Newbie
 
 
  

Re: Windows Timestamps

Post Posted: Mon Mar 10, 2014 9:07 am

- alangille
This, however, is a great reference to keeps available: ...


That is one of those that I judge unsatisfactory.

1. What do the results apply to? All types of $MFT entries, or only some of them? Only files? Directories?

2. What exactly do the results refer to? Is a File Rename an invocation of the MoveFile() system call? Or of a command at a DOS or PowerShell prompt? Or one or more of the several ways that Windows GUI allows file names to be modified? And what does File Copy refer to -- the original object or the copy?

3. And how do I (or anyone else) repeat the tests to verify that the results are correct, or to extend them to other versions of Windows? For example, how was the test platform configured to ensure that only the tester's actions are reflected in the results? Or, how was the testing methodology devised to do the same? As well as remove any so-called 'personal equation' variations, i.e. reliance on how one person tends to perform a particular operation?

It might be used as a starting point (i.e. I can't criticize it as a blog entry) -- but it does not seem to be a place to stay (i.e., used as a reference it leaves much to wish for).

The Rules of Time on NTFS does at least try to address some of these questions.  

athulin
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next