File Created When?
 
Notifications
Clear all

File Created When?

7 Posts
5 Users
0 Likes
678 Views
u2bigman
(@u2bigman)
Posts: 41
Eminent Member
Topic starter
 

Noob alert! Just getting into this field. If there is a FAQ to which I could be directed please advise.

Regarding what I call, Purity of Evidence, there is an issue I have never actually seen discussed. Hinted at often but never addressed head-on.

As I understand it forensics software makes heavy use of file attributes called timestamps. These show (presumably) when a file was placed on a harddrive and when it was accessed. But are these attributes not dependent on the system clock? And, are there any hacker-type programs to alter these attributes?

This issue seems huge to me. I need to be confident in my presentation to a future client, let alone a court. Can anyone say with total certainty that forensics software PROVES beyond a shadow of a doubt when a file was created and accessed?

Thanks for reading.

 
Posted : 01/08/2008 8:45 pm
(@jeffcaplan)
Posts: 97
Trusted Member
 

Forensic software proves beyond a shadow of a doubt that a file was created when the filesystem says it was created. Whether or not the file was actually created then is by no means definite.

As you stated in your post, changing the system clock or using tools to modify the timestamps associated with a file are two simple ways to alter the date/timestamps (DTS).

However, if you've verified the time set on the system clock of the machine you are investigating and found that to be consistent with real-world time (or at least indicated what the difference is), and there are no tools present on the machine which have the ability to modify the timestamps and there is no indication that the clock was changed on the machine (consistent timestamps are helpful), then you can be reasonably sure that the time indicated in the DTS for a given file or folder are accurate (but again, by no means definite).

Jeff

 
Posted : 01/08/2008 10:23 pm
u2bigman
(@u2bigman)
Posts: 41
Eminent Member
Topic starter
 

Thanks, Jeff.

But this timestamps thing seems to be the last six inches of a dragon's tail. Especially if the harddisk is a stand-alone model.

"Reasonably sure" gives me the creeps. It especially gives me the creeps when a client's money or my job is on the line. Let alone if lawyers have gotten involved.

I have been reading the resources on Guidance Software's site. Could be wrong but it seems like a lot of "pat outselves on the back" feelgood blather. Unmentioned (or at least not mentioned prominently) are such items as diskwashers and timestompers.

It seems a smart adversary has a much better position than the digital forensics industry admits.

Hope I am wrong about this.

 
Posted : 01/08/2008 10:42 pm
(@paul206)
Posts: 70
Trusted Member
 

The answer to your question as I understand it is yes. The timestamp is directly related to the setting of the system clock and it is an old trick to change it. That is why one of the first steps of your evidence acquisition checklist should be to look at the system clock and check if it is the right time. If not the difference should be noted and it will impact the rest of your investigation. Your report will have to compensate accordingly and you can expect a challenge from the opposition so you better have everything documented fully. That does not mean you go to court and get slow roasted over hot coals! Reasonably sure is usually acceptable in a courtroom if you can explain why there is a minimum chance for error as in Jeff's post. Judges don't look for perfection or absolutes.

 
Posted : 15/01/2010 12:04 am
(@forensicakb)
Posts: 316
Reputable Member
 

I would never say that a file was created on a certain date or any of the values were correct. You can only say that based on what you say it appears that a file was whatever whatever……

Too many ways to change a file time or date and not enough people that know what installed software or remnants of those programs to know for sure. If anyone speaks that they are sure about a file time or date, then you go ahead and open up that door and show them how easy it is to manipulate. I had a fun time doing that for a Fed Judge and AUSA when the USA's expert was speaking in absolutes.

At one time I had a great RSR file of a lot of research on file time stamps, but as more and more programs came out, I had to give up on it as it could become a full time job.

 
Posted : 15/01/2010 4:52 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Regarding what I call, Purity of Evidence, there is an issue I have never actually seen discussed. Hinted at often but never addressed head-on.

Hang around…you'll see that this topic gets discussed quite often.

As I understand it forensics software makes heavy use of file attributes called timestamps.

This is incorrect. Forensic software (ie, EnCase, ProDiscover, FTK) doesn't "make use of" file attributes…it provides a layer of abstraction, making them readable by people.

These show (presumably) when a file was placed on a harddrive and when it was accessed. But are these attributes not dependent on the system clock? And, are there any hacker-type programs to alter these attributes?

Yes, these attributes can be altered, and there are programs to do so. For example, Microsoft provides an open API for altering timestamps.

This issue seems huge to me. I need to be confident in my presentation to a future client, let alone a court. Can anyone say with total certainty that forensics software PROVES beyond a shadow of a doubt when a file was created and accessed?

Forensic software does not prove anything…it presents data to the analyst in a legible format. It is up to the analyst to gather data and provide findings based on that data. Proving something to the standard that you mention implies court proceedings…at that point, it's a battle between the prosecution and the defense.

Another misconception is that anything in digital forensics or related to computers is provable "beyond a shadow of a doubt". In 2003, in the UK, a defendant claimed that he was not responsible for the traffic that originated from his computer…he claimed that a virus had been at fault. No virus was found, yet he was acquitted. Where someone might tell me something, and tell the same thing to, say, my mother…my mother may believe them "beyond a shadow of a doubt", whereas I may have my doubts, based on my knowledge and experience. Kind of like when I watch CSI and they show an IP address with an octet above 255. 😉

I think that you're assuming that investigations hinge on timestamps. A case will not be made based on one timestamp alone…rather, an analyst should locate multiple facts to support a finding.

 
Posted : 15/01/2010 6:01 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

But this timestamps thing seems to be the last six inches of a dragon's tail. Especially if the harddisk is a stand-alone model.

It is. Therefore, you must consider the entire dragon…and where you found the dragon. And his friends.

"Reasonably sure" gives me the creeps. It especially gives me the creeps when a client's money or my job is on the line. Let alone if lawyers have gotten involved.

I'm not sure I follow why that would be the case…unless you're looking to hang an entire case on one timestamp. If that were the case, yeah, I'd have the creeps, too.

I have been reading the resources on Guidance Software's site. Could be wrong but it seems like a lot of "pat outselves on the back" feelgood blather. Unmentioned (or at least not mentioned prominently) are such items as diskwashers and timestompers.

These are considered all the time. Perhaps you're not looking in the right places…but you've raised the question here.

It seems a smart adversary has a much better position than the digital forensics industry admits.

I don't think that's the case at all. I do think that a "smart adversary" stands a much better chance against a large proportion of the digital forensics industry, but I also know that an inquisitive, skilled analyst who uses thorough processes and documents what she does will prove to be more than up to the task.

 
Posted : 15/01/2010 6:07 am
Share: