File and directory timestamps are one of the resources forensic analysts use for determining when something happened, or in what particular order a sequence of events took place. As these timestamps usually are stored in some internal format, additional software is needed to interpret them and translate them into a format an analyst can easily understand. If there are any errors in this step, the result will clearly be less reliable than expected.
My primary purpose this article is to present a simple design of test data suitable for determining if there are errors or problems in how a particular tool performs these operations. I will also some present some test results from applying the tests to different tools…
As I just answered a question about data set availability made in the News department, I should perhaps add it here too.
The NTFS image discussed in the article can be downloaded from CompForTest project on SourceForge. The source code (C) of the program that creates most of the image can be found there as well.