Hi,
When you looking at these three parameters from a file for a file called abc.doc which FTK has reported the following times
Created 12 Aug 2006 113414
Modified 14 July 2006 090545
Accessed 12 Aug 2006 120534
Does this mean that the file was created on the 12th Aug at 1134 or is this time something else? Am i right in assuming the file was last modified on the 14th July? Also if I was to examine the meta-data for the doc I find different times to the above. Which one is right?
Basically Im looking to find out when the file was created because I think I understand the last two, what I cant get my head around is how the created time is AFTER the modified time.
Thanks for your help
zimbo
Zimbo
This post makes me wonder if you are having us on or you know nothing about Computer Forensics or how the basics windows OS works. Presuming it is a windows system
The created time (by default) is the time the file was created on the computer in question.
The file was first created, somewhere else, on or before July 14th. The metadata may give more details
Zimbo
This post makes me wonder if you are having us on or you know nothing about Computer Forensics or how the basics windows OS works. Presuming it is a windows system
Well i am a student trying to figure a problem out… i know it does seem to be a dumb question so the bottom line it seems is the file was created on another system and then modified on the current system right?
It would appear that the file, as previously mentioned has been created at another location, either on the current drive or another drive. It has then been copied to where you have found it.
There are several scenario's that could have created the sequence, but one could be that it was created prior to 14/07/2006 in another location, finally saved and then copied to its current location on 12/08/2006. The file was then accessed and printed or maybe just opened, but not saved.
That is just an example for you
Zimbo,
The easiest way to look at it is this
Created 12 Aug 2006 113414 - this is when the file was created at that location. Here 'created' doesn't necessarily mean made.
Modified 14 July 2006 090545 - this is when the file content was last changed and then saved.
Accessed 12 Aug 2006 120534 - this was when the file was last touched in some way. Be careful because this could include an AV application checking the file and doesn't necessarily infer user interaction.
It looks like your file was modified somewhere and then created in the location you found it. This is because the modified date predates the created date.
Hope this helps.
Nashie
Zimbo,
The easiest way to look at it is this
Created 12 Aug 2006 113414 - this is when the file was created at that location. Here 'created' doesn't necessarily mean made.
Modified 14 July 2006 090545 - this is when the file content was last changed and then saved.
Accessed 12 Aug 2006 120534 - this was when the file was last touched in some way. Be careful because this could include an AV application checking the file and doesn't necessarily infer user interaction.
It looks like your file was modified somewhere and then created in the location you found it. This is because the modified date predates the created date.
Hope this helps.
Nashie
Cheers thanks!!
Zimbo,
Does this mean that the file was created on the 12th Aug at 1134 or is this time something else? Am i right in assuming the file was last modified on the 14th July? Also if I was to examine the meta-data for the doc I find different times to the above. Which one is right?
Basically Im looking to find out when the file was created because I think I understand the last two, what I cant get my head around is how the created time is AFTER the modified time.
First, there's no indication of which operating system or file system you're dealing with here…and as has been pointed out, that can be important.
Assuming that your .doc example is really a .doc file, then you may be dealing with Windows. Some references
http//
http//
Remember, however, that with Vista, MS disabled updating last accessed times by default.
To get more information that may provide you with clues to answer the questions you have, you should check the MFT (assuming NTFS) as well as the .doc metadata.
HTH,
Take a look at the meta-date from the .doc-file. There should be some interesting datas about creating, etc. don't trust the timestamps to much.
Some definitions if you need them.
File Created
The time that that particular file was created at that location. Therefore, if a file was edited and changed on January 3rd, and then copied to a floppy diskette on January 15th, you would notice that the file (on the floppy) was created after it was last written or even accessed.
Last written
The last time the file was actually changed and then saved. This date and time will be updated even if the file is opened, viewed and saved as itself with the same filename and no changes being made to the actual files data.
Last Accessed
The last time the file was viewed, but not changed. This will be affected by even viewing the file as a thumbnail within Windows Explorer. Some application programs change the date last accessed, and some do not.
Entry Modified (Only pertinent to NTFS and Linux file system)
It refers to the pointer for the file-entry and the information that that pointer contains, such as the size of the file. If you were to change the size of a file, from 8 sectors to 10 sectors for example, then this column would change.