Can date n time of a file recovered from USB Pen Drive authenticated?
I have come across a recent case where in the evidence has been challenged.
As we all know the system date n time can be altered, hence how do we authenticate the date n time of the files dumped on a pendrive.
Example I have created a file on a computer using MS word, but before creating a Document I have back dated the system time n date. Now i create a document and dump it on a USB pen drive. How will you authenticate such an evidence? in other words how do we authenticate such a files integrity?
Can date n time of a file recovered from USB Pen Drive authenticated?
I have come across a recent case where in the evidence has been challenged.
As we all know the system date n time can be altered, hence how do we authenticate the date n time of the files dumped on a pendrive.
Example I have created a file on a computer using MS word, but before creating a Document I have back dated the system time n date. Now i create a document and dump it on a USB pen drive. How will you authenticate such an evidence? in other words how do we authenticate such a files integrity?
You're mixing your terminology.
You can "authenticate" the "evidence" in this case through thorough analysis of the system and of the thumb drive.
File integrity is a different question entirely…usually answered through chain of custody, hashes, etc.
Thanks for the quick response!
I need to find out the date on which it was originally created, i dont have any other device but the pendrive.
Good luck. Even the metadata within the file gets populated by the system clock…change that, and you change the values embedded in the file.
So are you trying to say there is no way out on this problem?
What Harlan says is that all the dates and times you're going to find have been set by a computer clock. On a full system, there are means to find evidence about time alteration but on a thumb drive, it's difficult to fight the defense "maybe the computer clock wasn't set properly" …
Yes i did get your point thanks for the clearification. is there a way to Find out which OS was used to create a Documnet
If you're referring to MS Word documents, yes. The DVD that comes with my book has a Perl script that will tell you, among other things, whether Windows or Mac was used to create or modify a Word document.
Ok now i am a little more curious to know whats the name of the book, how does it check it any idea?
> …curious to know whats the name of the book
Windows Forensic Analysis
> how does it check it any idea?
Of course…I wrote the tool. It queries the binary contents of the file, and reads a specific setting at a specific offset.