This not so much a question of can it done, but more the true ease and time allotted to alter data we are dealing with dated 3.5 inch floppy disks. is it possible to completely destroy to created on date for files especially dated jpeg and image files and have the data be consistent with the original meta data on the disk. I have limited access to the potential PC supposedly used so my question is is it reasonable to assume that every time a person viewed a floppy he would then go through the effort of masking the meta data, knowing that as soon as the data. and more importantly is there a method of extracting original data even thou the current data could possibly have been altered
I am aware of the old standby of altering the windows clock but doesn't that then cause inconsistencies in the file data and logs
any feedback is welcome, and if my thought process is inaccurate if i can be pointed in the correct direction
I take it you are dealing with a FAT formatted floppy?
It's relatively simple (assuming a suspect has the know-how) to open a disk in a hex editor and alter anything really.
You can change file dates and times simply by working out where that data is kept on the actual disk, navigating to that sector and over-writing the data with a new arbitrary (or specific) value.
All you really need in order to do this is a (good) knowledge of the file system in use, and some basic maths skills.
Hope this helps
Ben
A more automated means would be fairly simple, I think.
You could have a perl script that looks for time stamps with regular expressions and sanity checks and alters them.
is it possible to completely destroy to created on date for files especially dated jpeg and image files and have the data be consistent with the original meta data on the disk
Actually (as the previous posters have pointed out) quite easy. All you need is 1 level of knowledge above the forensic examiner who will be looking at the job. In the final analysis, data is just a bunch of 1's and 0's that can be changed at will.
If you do have the knowledge, automation is basic.
If you don't have the knowledge, hire someone who has, there are people who can do just about anything with bunches of 1's and 0's.
Paul
thanks for the input. for arguments a sake, lets say this involved jpeg data and we are using technology at least 7 years old
the ast way is of coure just changing the date on the pc, but how fast could you completely alter that data disk by disk, at leasrt5 5 disks if you were unaware of being caught
would the jpg data stay intact, and ultimately can the original data be uncoveded either by using windows logs or is this data lost forever
forensically speaking is this data lost and isthere no way to porove that this infois truthfully accurate
sorry for the typos, mobile phone
Comparison of internal and external metadata of a JPEG could yield some useful info.
Thank you greatly to all, it has been of great assistance in this issue