I'm working with an image I acquired from a local lawfirm.
The only problem I'm finding is there are about 19image files that have create dates within the timeframe that's really needed for this case. HOWEVER, the create dates on these files just don't jive with the timeline of the rest of the system. As far as I can tell, this system was newly installed on 5/31/2006 and my files in question have create dates of 2002-2004. with current modifed and accessed dates. All the other use on the system happens after the 2006 install.
This is an image of an NTFS system, and I know there are some quirks with how NTFS handles the create/modified date, but the quirks I found don't seem to explain this. I'm using FTK, and I can't find any references to these files (they weren't from browsing) and I can't determine how they got there.
This should help
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1856&highlight=create+move+cut
One of the most common reasons for that is due to moving files within folders and the original dates/times are retained.
http//
I have found the above paper useful.
From the posts that Jonathan linked to, I'd take a look at this MS KB article
http//
I'd look for web activity or the attachment of removable storage devices, as well as look at the user's activity via the Registry around the time in question.
Appreciate the responses. I had found all the above links in reference to date/time on NTFS, just wanted to make sure my thinking was right.
My assumption was these files were moved from other media to the drive, but hadn't gone down that path yet.