±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36212
New Yesterday: 2 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Shellbag analysis

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4 
  

EricZimmerman
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 22:52

true on last accessed but i still get the other 2 which can go a long way for the cases i do forensics for (CP cases primarily). i usually don't trust last accessed too much in general because so many things can affect it.

i think the easiest thing to do re: the accuracy of the timestamps is to explain the differences up front during the course of direct testimony. explaining the datetimes with something like "this is accurate within 2 seconds due to the way this particular date time is recorded by Windows" should, in my mind, satisfy things. that way the door is essentially shut for cross examination. Then again, that explanation could be saved if it comes up in cross and would serve to possibly set the defense back a bit! =) Following up with a bit of a background on when DOS was born vs NTFS and how NTFS is a more robust file system, etc would round out the commentary.

the necessity of the more accurate timestamps would also be impacted by the type of case as well. If i can show a file showed up within a 2 second window and was acted upon soon after that via lnk files, playlist history, etc, i dont see people getting hung up on the missing nanoseconds on either side of the transaction. most people on a jury (or a lot of computer 'experts' as determined by the court) wouldn't have a clue what a 100ns resolution means anyways. =) getting into a rather technical explanation like that may serve to confuse people vs help clarify a timeline.  
 
  

keydet89
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 23:27

- EricZimmerman
i usually don't trust last accessed too much in general because so many things can affect it.


The same is true for the last modification dates, with respect to what's displayed in the BagMRU artifacts.  
 
  

keydet89
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 23:56

Greg,

- gmkk
As per ShellBags detailed structure, you may want to have a look at the following sources:


Thanks for all of that information.

What's very interesting is that several of the tools that you mentioned are out of date...they were originally written, additional work in the area has been done and information updated, but the tools have not.

I'm beginning to understand that you, as well as others, are not interested so much in the time stamps from the shell items that comprise the BagMRU artifacts.  
 

Page 4 of 4
Page Previous  1, 2, 3, 4