Another date/time b...
 
Notifications
Clear all

Another date/time brain teaser

8 Posts
7 Users
0 Reactions
600 Views
(@aidan_jewell)
Active Member
Joined: 18 years ago
Posts: 17
Topic starter  

Hello,

I've found some suspect images in a case where the Last Accessed dates and times are identical (and on the hour, ie 2200), however the File Creation dates and times are various times between 1 and 3 hours AFTER the Last Accessed date/time.

These images are all found within a deleted (and orphaned, but recovered) folder relating to Firefox cache.

I've tried replicating the issue in a VM, but haven't had any joy yet, so does anyone have any ideas what could cause the Accessed dates/times to be BEFORE the Creation dates/times?

Thank you for your time


   
Quote
kiashi
(@kiashi)
Trusted Member
Joined: 19 years ago
Posts: 99
 

Is this a FAT32 volume by any chance? If it is then Last Accessed time is not recorded and so is usually shown as 000000 if it is showing up as exactly 220000 this may be an indication that your timezone settings are out by 2 hours. Have you checked the timezone settings in the registry of the suspect drive?


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

To take Kiashi's comment a step further…

When you're talking about dates and times, it's paramount that for context, you also know what file system you're dealing with…

http//msdn.microsoft.com/en-us/library/ms724290%28VS.85%29.aspx
http//support.microsoft.com/?kbid=299648

Of course, there could be other issues…where did the images come from? Or, is this even a Windows system?


   
ReplyQuote
(@forensicakb)
Reputable Member
Joined: 16 years ago
Posts: 316
 

How was the deleted (and orphaned) folder recovered?

Hello,

I've found some suspect images in a case where the Last Accessed dates and times are identical (and on the hour, ie 2200), however the File Creation dates and times are various times between 1 and 3 hours AFTER the Last Accessed date/time.

These images are all found within a deleted (and orphaned, but recovered) folder relating to Firefox cache.

I've tried replicating the issue in a VM, but haven't had any joy yet, so does anyone have any ideas what could cause the Accessed dates/times to be BEFORE the Creation dates/times?

Thank you for your time


   
ReplyQuote
(@aidan_jewell)
Active Member
Joined: 18 years ago
Posts: 17
Topic starter  

It is indeed Fat32, something I should have spotted earlier, thank you!

*goes off to take more Man Flu medicine*

Edit The active time bias as reported in the registry is 0000 hrs from GMT (last shutdown in GMT too), and the system clock was 1 hour off at time of analysis (during BST), but that still leaves an hour offset unaccounted for, unless my flu-addled mind is missing something?

The folder was recovered using the Recover Folders tool in EnCase. The images and the folder containing the images fit the bill of deleted Firefox cache. The Firefox settings were set to delete history upon closing FF.


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

Edit The active time bias as reported in the registry is 0000 hrs from GMT (last shutdown in GMT too), and the system clock was 1 hour off at time of analysis (during BST), but that still leaves an hour offset unaccounted for, unless my flu-addled mind is missing something?

Since EnCase is involved, did you set the EnCase time bias on the volume manually, or did EnCase set it automatically when you ran the Case Processor? If it was set automatically, is it correct? I seem to remember some reports of some versions of EnCase not getting this right in all circumstances. (Or perhaps those were Vista cases … Vista does things a little differently, I believe.)

Manually doublechecking one or two 'raw' timestamps against what EnCase reports is often a good idea. If nothing else, it's confirmation that EnCase hasn't lost touch with the ground.


   
ReplyQuote
Fab4
 Fab4
(@fab4)
Estimable Member
Joined: 18 years ago
Posts: 173
 

May not be relevant in your case but you can have accessed timestamps prior to creation timestamps if the files have been moved/copied to a new location since original creation. The creation timestamp would reflect the time they were created in the new location.

From what you have stated, the FAT issues already being discussed feel more likely.


   
ReplyQuote
(@sjablons)
New Member
Joined: 16 years ago
Posts: 2
 

Could it also be possible that the files were maliciously altered to show a different date/time? Command line programs like Timestomp could easily change the modified accessed and/or created dates.


   
ReplyQuote
Share: