File creation date ...
 
Notifications
Clear all

File creation date - Windows XP

13 Posts
4 Users
0 Likes
1,517 Views
(@chisco77)
Posts: 7
Active Member
Topic starter
 

HI everybody,

I'm new at foresincs. I made a dd image of a disk drive and opened it in my computer with autopsy. I want to verify the creation date of some files. The issue is that it is not the same date that was supposed to be. The question is if I cut and paste a file in windows xp, is the creation data of the file modified?

Thanks in advance.

 
Posted : 24/02/2013 10:28 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

The creation date is the date and time the file is created on the media - it is not related to the modified date

 
Posted : 24/02/2013 11:10 pm
(@chisco77)
Posts: 7
Active Member
Topic starter
 

Hi,

I now creation date is the date the file "landed" on the device. The question is if I move a file on windows Xp, is the creation data altered? And, most important, can I assume that if modification date is before creation date, the file was copied from another location and wasn't created in that filesystem?

 
Posted : 25/02/2013 12:25 am
(@mscotgrove)
Posts: 938
Prominent Member
 

The best answer to your question is to try it.

Working on tests and seeing the results will mean you will understand how dates get applied and used.

 
Posted : 25/02/2013 12:34 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

The question is if I cut and paste a file in windows xp, is the creation data of the file modified?

Sometimes when people say cut and paste, they mean copy and paste. A copied file in Win XP will not bear the creation date of the original. An actual cut and paste is equivalent to Move, which does maintain the creation date. (Edit even across volumes.)

If the modification date precedes the creation date, you can assume that something unusual happened, i.e., that the file was not created and updated in place. There could be several causes perhaps the clock changed, perhaps it was copied from another location, etc.

Quite often, when a file is copied from external media, the source file system is FAT, which has distinctly different timestamp characteristics from NTFS. For example, if the modification time is truncated to an even number of seconds, that's an indication it may have been copied from a FAT device such as a flash drive.

 
Posted : 25/02/2013 2:07 am
(@chisco77)
Posts: 7
Active Member
Topic starter
 

Tucker,

thanks for your answer. It confirms muy suspects. I tried and move, copied, cut &pasted a file in windows and creation date wasn't changed. Something else happenned to that file!

 
Posted : 25/02/2013 1:39 pm
(@chisco77)
Posts: 7
Active Member
Topic starter
 

Here again with file creation date. If I go to right button-properties I see a different creation date in the general tag than in the details tab. It is an Autocad file. Why are there two creation dates?

 
Posted : 25/02/2013 10:15 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Once you start analyzing the MFT, you'll realize that file records contain a lot more dates than you first thought. However, I suspect what you're seeing is internal file metadata. I don't know about AutoCad per se, but many files (e.g., MS Office) contain their own internal time stamps (e.g., creation, last printed) that are independent of the file system in which the files are stored. For a file that was created in place (as opposed to copied from another system), one would expect the timestamps to be almost identical, when corrected for time zone. However, if files are copied from an external source, the creation time may vary wildly, as the semantics of internal metadata are different from file system metadata.

 
Posted : 25/02/2013 10:37 pm
(@chisco77)
Posts: 7
Active Member
Topic starter
 

Tucker,

it seems that this is the case (internal file metadata). Is there a way to see the history of actions made to a file (if the file was moved, times and data of openings, etc)?

 
Posted : 26/02/2013 12:38 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Now you're getting into territory that requires real expertise and a thorough understanding of how Windows works and the artifacts it leaves behind in NTFS. Unfortunately, there's no simple journal that lists all that information. If this is critically important to your case, you'll have to piece together a narrative that fits the facts, and it's an iterative process.

Start with a hypothesis – what do you think might have happened to this file? Then examine artifacts that will either prove or disprove your hypothesis, refining your hypothesis depending on where the evidence leads you. You may end up examining USBSTOR keys, MRU lists, LNK shortcuts, restore points, and possibly even the MFT/$USNJrnl/$Logfile, which is a new research area but may allow you to deduce some history.

This is going to be complex stuff if you're new to forensics. Frankly, you may want to start by reading chapters 11-13 of Brian Carrier's book "File System Forensic Analysis."

Good luck.

 
Posted : 26/02/2013 1:13 am
Page 1 / 2
Share: