File creation date - Windows XP
I'm new at foresincs. I made a dd image of a disk drive and opened it in my computer with autopsy. I want to verify the creation date of some files. The issue is that it is not the same date that was supposed to be. The question is if I cut and paste a file in windows xp, is the creation data of the file modified?
Thanks in advance.
The creation date is the date and time the file is created on the media - it is not related to the modified date
I now creation date is the date the file "landed" on the device. The question is if I move a file on windows Xp, is the creation data altered? And, most important, can I assume that if modification date is before creation date, the file was copied from another location and wasn't created in that filesystem?
The best answer to your question is to try it.
Working on tests and seeing the results will mean you will understand how dates get applied and used.
The question is if I cut and paste a file in windows xp, is the creation data of the file modified?
Sometimes when people say cut and paste, they mean copy and paste. A copied file in Win XP will not bear the creation date of the original. An actual cut and paste is equivalent to Move, which does maintain the creation date. (Edit even across volumes.)
If the modification date precedes the creation date, you can assume that something unusual happened, i.e., that the file was not created and updated in place. There could be several causes perhaps the clock changed, perhaps it was copied from another location, etc.
Quite often, when a file is copied from external media, the source file system is FAT, which has distinctly different timestamp characteristics from NTFS. For example, if the modification time is truncated to an even number of seconds, that's an indication it may have been copied from a FAT device such as a flash drive.
thanks for your answer. It confirms muy suspects. I tried and move, copied, cut &pasted a file in windows and creation date wasn't changed. Something else happenned to that file!
Here again with file creation date. If I go to right button-properties I see a different creation date in the general tag than in the details tab. It is an Autocad file. Why are there two creation dates?
Once you start analyzing the MFT, you'll realize that file records contain a lot more dates than you first thought. However, I suspect what you're seeing is internal file metadata. I don't know about AutoCad per se, but many files (e.g., MS Office) contain their own internal time stamps (e.g., creation, last printed) that are independent of the file system in which the files are stored. For a file that was created in place (as opposed to copied from another system), one would expect the timestamps to be almost identical, when corrected for time zone. However, if files are copied from an external source, the creation time may vary wildly, as the semantics of internal metadata are different from file system metadata.
it seems that this is the case (internal file metadata). Is there a way to see the history of actions made to a file (if the file was moved, times and data of openings, etc)?
Now you're getting into territory that requires real expertise and a thorough understanding of how Windows works and the artifacts it leaves behind in NTFS. Unfortunately, there's no simple journal that lists all that information. If this is critically important to your case, you'll have to piece together a narrative that fits the facts, and it's an iterative process.
Start with a hypothesis – what do you think might have happened to this file? Then examine artifacts that will either prove or disprove your hypothesis, refining your hypothesis depending on where the evidence leads you. You may end up examining USBSTOR keys, MRU lists, LNK shortcuts, restore points, and possibly even the MFT/$USNJrnl/$Logfile, which is a new research area but may allow you to deduce some history.
This is going to be complex stuff if you're new to forensics. Frankly, you may want to start by reading chapters 11-13 of Brian Carrier's book "File System Forensic Analysis."
you are very kind. This is really fascinating. I'm new at foresncis, but I know I'm goint to learn a lot in this case. At this very moment, I'm creating a virtual machine of the raw image of the computer I'm investigating. I'll try some tools to examine the registry, hives and artifacts.
Thanks a lot for your help!
as far as i know in windows OSes, and on NTFS filesystems when you COPY a file, a new timestamp is defined for the creation date of the target file, while the last modified date is inherited by the source file.
So it's not uncommon on windows formatted hard drive (especially those used for storage purposes) to see file where the creation date is later then the last modify date.
from this you can also infer that the file you are analyzing is most likely a copy of a file which was existing elsewhere and which wasn't edited after the copy process
correct me if i'm wrong.
what you say seems to be the most likely scenario.