Hi there,
I am hoping someone will be able to help me with this one. I recently provided a client with a list of the documents in the Recycle Bin (Windows XP), showing deleted time/date as well as last accessed times and dates.
One of the files shows
Created 04/05/09 0915
Last Written 04/05/09 0955
Last Accessed 04/06/09 0043
Modified 04/06/09 0047
Deleted 04/05/09 1034
I am confused as to why the file (nsf) has a deleted date one month prior to other dates (mainly last accessed) associated with it.
If anyone could help that would be great…
Thanks in advance
Hi
It could be the file have been restored and deleted again. Haven't tested it. Tampering with timestamps is also a posible explanation here. The systems clock can have been changed. You should ask Your client if he have chaged the system time.
chris check the internal metadata for this file, especially "Last Saved" date. Some program may touch files (eg. antiviruses) and confuse situation even more.
One of the files shows
Created 04/05/09 0915
Last Written 04/05/09 0955
Last Accessed 04/06/09 0043
Modified 04/06/09 0047Deleted 04/05/09 1034
What tool did you use for this? The thrashcan explorer or something else?
Did you crosscheck that date with the creation date of the corresponding Dxxx-file in the relevant \RECYCLER\S-1-5-1… directory and the INFO2 file? Are all timestamps consistent?
(Foundstone has a INFO2 parser utility called Rifiuti that can be handy for this. It shows UTC, though, so you have to account for time zone differences yourself.)
I am confused as to why the file (nsf) has a deleted date one month prior to other dates (mainly last accessed) associated with it.
Haven't seen this myself, as far as I remember. The standard possibility is, as always, that the local time had been reset when the deletion took place. If local clock was wrong, time stamp will also be wrong.
A not too improbable scenario is that the user opens the calendar tool, and goes back one month to check something, and then doesn't exits by Cancel. Later, the user discovers the error, and corrects the time without thinking more about it. (Windows won't correct the time automatically, though I think there will be a system log entry, when it discovers the problem. But there are other utilities that will, and that may be present on the cumpoter. It may be possible to find this type of change in log files, though.)
Another possibility is that the INFO2 file (if that is the source of the time stamp) has been modified in some way. In that case, the doublecheck I mentioned may show up inconsistencies.
Do virus checkers check the recycle bin? It might possibly explain this
Do virus checkers check the recycle bin? It might possibly explian this
I'd have hoped any self-respecting AV product would check the contents of the recycle bin!
Unless the subject is known to be an IT geek, it's unlikely that they would have fiddled with time stamps IMO. AV scans are the most likely culprits for the later time access dates; this would be supported if the other items in the Recycle Bin have the same/similar last access times that your file of interest does.
Probably not altogether helpful, but could the date not be in mm/dd/yy format, rather than dd/mm/yy? That would mean a discrepancy of a day, rather than a month.
Yes, it's still a discrepancy…