Downloaded File Dat...
 
Notifications
Clear all

Downloaded File Date/Time Explained

4 Posts
4 Users
0 Likes
4,401 Views
troyschnack
(@troyschnack)
Posts: 13
Active Member
Topic starter
 

Here is some information that might help you to explain how things happened on a current or future case regarding file dates/times on downloaded files.

I've done a bunch of reading on this particular situation and found no documentation to explain it. Since I had to know, I did my own testing and found the answer.

Example

File1.mpg
Created 02/01/2017 090000 PM
Modified 02/01/2017 101122 PM
Accessed 02/01/2017 090000 PM

Why is the created date/time (DT) the same as last accessed while the modified date/time is after both C and A?

Situation OS is Windows 7, files were downloaded with P2P and then moved into the current folder

Here's what happens. When downloading a file from a browser, torrent or P2P network, the created and last accessed DT is when the file download was initiated. The modified DT is when the download completed. Windows Vista and later do not update last accessed DT on NTFS file systems. Last accessed is only changed if the file is actually modified after download. (i.e. editing a Word document)

As a side note, do not use a P2P program's database of download date as when the file download was initiated. This is almost always the DT the download completed and will match the file's modified DT.

In this particular case, the files where downloaded from P2P. They were then moved to another folder on the same drive. Moving a file from one folder to another on the same drive does NOT change any of the files dates/times. If the file had been copied, then the creation and last accessed would have been changed keeping the original modified DT.

You can test this easily by downloading a file from the Internet. Check the dates on the file. Notice that the modified DT will be seconds or minutes after the creation date. Move the file to another folder on the same drive. All DT properties remain the same. The last accessed DT are also not changed by the file move.

 
Posted : 22/03/2017 11:03 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Also Updates to Last access is disabled by default on Windows 7 to increase performance, you have to enable it manually in the registry.

 
Posted : 23/03/2017 11:59 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This is pretty easy to verify independently, and "see", by creating a timeline.

An example of this, albeit using a different data source, can be seen here
http//windowsir.blogspot.com/2017/03/incorporating-amcache-data-into.html

My recommendation is that if there's any question at all about a single artifact viewed in isolation, change how you're looking at it, and stop viewing it in isolation.

 
Posted : 23/03/2017 6:26 pm
Thomas
(@thomas)
Posts: 59
Trusted Member
 

As a nice addition to this post http//computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf

A look at the practical value to forensic examinations of dates and times, and object identifiers in Windows shortcut files. A common request to an examiner might be “can you tell whether the suspect has viewed this file after it has been downloaded”; the aim of this paper is to answer that question and at the same time provide other related information that will be of practical value in computer examinations.

 
Posted : 24/03/2017 12:32 am
Share: