±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36324
New Yesterday: 2 Visitors: 187

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Unmodified file with a close M timestamp after C timestamp

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Skywalker
Senior Member
 

Unmodified file with a close M timestamp after C timestamp

Post Posted: Sep 20, 19 11:39

Hello,

I have a PDF file in a HDD's forensic image. The file has not been modifed because I have checked its hash digest with the original and it matches, but its modification timestamp is very close and after its creation timestamp. It is supposed the file has been downloaded from the Internet, specifically from a GMail account. I know the PDF has not been modified because I have matched both hashes, I mean, I have accessed to the original file in the GMail account and checked its hash which matches with the downloaded file's hash in the HDD's forensic image.

Aditionally, the three MAC times are setted one day before the email was sent and it has been confirmed the file couldn't be getted by another way than this email.

For further information, the whole folder's files have very close M and C timestamps, but M ones are ALWAYS after C ones. I have read a paper called "The Rules of Time on NTFS File System" (it is available on the net), but I cannot find the answer. C and A are the same. So: M > C; C = A.

Any ideas of what is happening?

Thanks!!  
 
  

minime2k9
Senior Member
 

Re: Unmodified file with a close M timestamp after C timesta

Post Posted: Sep 20, 19 11:44

I think the answer may be in the question.
If you download a file from Gmail, the time should be when the file is initially created (depending on the browser it will have a different name until it is fully downloaded) and then the modified will be when it finishes downloading.  
 
  

Omnius
Member
 

Re: Unmodified file with a close M timestamp after C timesta

Post Posted: Sep 20, 19 12:36

- minime2k9
I think the answer may be in the question.
If you download a file from Gmail, the time should be when the file is initially created (depending on the browser it will have a different name until it is fully downloaded) and then the modified will be when it finishes downloading.


Concur. Standard for files downloaded from the internet.  
 
  

athulin
Senior Member
 

Re: Unmodified file with a close M timestamp after C timestamp

Post Posted: Sep 20, 19 15:58

- Skywalker
For further information, the whole folder's files have very close M and C timestamps, but M ones are ALWAYS after C ones. I have read a paper called "The Rules of Time on NTFS File System" (it is available on the net), but I cannot find the answer. C and A are the same. So: M > C; C = A.

Any ideas of what is happening?


If you don't see what your looking for, you're probably looking in the wrong place.

The most important information is of course just how much is the difference? On the order of fractions of a second? Or several minutes? Just what is 'very close'?

Rules of Time are fine, as far as it goes. But it is not relevant for files downloaded from Internet. (Read it again.) It's not a good idea to apply rules that work in one type of scenario for a completely different one. And by the way, the results of those tests were from Windows XP, so it's heavily outdated, as well. You should not be using that document for anything else than background information: 'In days of yore, when the world was young, and Windows shone brighter than today, these were the rules of the stamping of time and other noble and glorious deeds ...'

As GMail seems to be involved, you have to see if there is any way to download a file that produces the same results. That is, repeat the action, and see what happens. (Some care needs to be taken, if too much time has passed.) I presume you don't have a problem identifying the client that was used. (And yes, you very probably do have to do that.)

But I see no technical issue. M changes when a file is modified, althoug noone seem to have studied exactly what Windows file management operations actually change it and reported the results. So we're not too solid ground here. (I tried once, but got side-tracked once I got into the file encryption operations.) But we do know that a file in Windows includes ADS.

So, hypothetical scenario: The file is downloaded, so M and C are set. Then, the file is reopened, and that 'downloaded from remote ' ADS (Zone.Identifier) was added, which -- probably -- updates M. (I assume that that ADS is present. If it isn't ... wrong explanation, or it was removed manually)

minime2k9's scenario involving a change of names is also a possibility. There are more possibilities ... for example involving Windows Shell.

But these scenarios may be possible only for M-C that is very small. If the difference is more than a second or two, some other explanation is required. (Such as: some action may not finish until the user clicks an 'OK' button. If that happens to take a long time -- perhaps the user went for a cup of coffee -- it could explain larger differences.)

In any case, if you want to explain the oddity, you have to identify the client that was used, and then repeat the action you think took place, and see what happens.  
 
  

jaclaz
Senior Member
 

Re: Unmodified file with a close M timestamp after C timesta

Post Posted: Sep 20, 19 18:13

- minime2k9
I think the answer may be in the question.
If you download a file from Gmail, the time should be when the file is initially created (depending on the browser it will have a different name until it is fully downloaded) and then the modified will be when it finishes downloading.

So, given a sufficient number of (possibly largish) files downloaded around the same time one could even infer the speed of the connection while downloading which in the case of a laptop could even - in some cases - provide indirect evidence of the laptop location at the time (or of a non-location) even if conection data is lost. delted ot however not retrievable.

I mean, let's say that the laptop under examination is normally used at home, via a (crappy) 812.11b Wi-Fi connection that maxes out at - say - 6 Mbps:

www.lifewire.com/how-f...ork-816543

if the M and C times difference imply a much faster download time it would be reasonable to believe that a different (much faster) connection Wi-Fi or cable was used, so logically the laptop must have been somewhere else at the time.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1