While I appreciate Ashay's information, the more I think about it, the less I see it as definitive. It's clear that the base assumption of that methodology is putting trust in the validity of the mail server's system clock, and I see several issues with that.
…where I found a document or documents where the modified date was previous to created date.
Are you referring to this
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=449
If this is the research you're referring to, I'm wondering about the following statement
…from this is was able to determine if you created a file on a system in a time zone later than the one modifying it you were able to obtain results where the modified date was earlier than the creation date.
That sounds definitive, whereas in the thread (above link…before sachin took the thread off topic… 😉 ) it seems to be a possibility. What I mean by that is that even though your testing was thorough for that instance, it's but one possibility.
Most importantly
…and have got some answers to was how…
Would it be possible for you to share those answers with the forum?
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Harlan, the 'answers' I was referring to were the 'replies' seen above. As for the previous testing, yes, that is one possibility, one more than I had before. I did not mention it was an end all answer to the question, just one possibility, if you have some other possibilities I am sure the group would benefit in hearing them.
Thanks
the 'answers' I was referring to were the 'replies' seen above
Sorry…from your post, that wasn't very clear. In other lists, I know that folks receive many answers offlist, so I thought that maybe that's what happened here.
… if you have some other possibilities…
Nice try. I'm researching this so that I can use it myself. I'll post what I find…I don't want to post "possibilities" - those seem to lead off-topic very quickly.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
While I appreciate Ashay's information, the more I think about it, the less I see it as definitive. It's clear that the base assumption of that methodology is putting trust in the validity of the mail server's system clock, and I see several issues with that.
I would agree with this statement if you are looking at only an MSN clock (or any one clock) as the means of validation. But, if you validate it against several clocks and are seeing the same result, I think you can safely conclude the results will give you the accuracy of the system clock.
Mail servers are a good way to go, but a lot of internet activity will give you a server clock time. Most forums will display a time on every page you visit, all forums will display a time for a post. Banking, online purchases, and a number of other pages will display a server time. Looking at these cached pages and the corresponding index.dat would give you an accurate measurement of the system time. Also pick web servers that you can validate in a live test. If you use an MSN email to try and retrieve system time, send an email through MSN and verify the time headers vs your system time vs real time and record the results to provide evidence to defend your final result.
Repeat this process for a minimum of five separate server times and verify each one and get the same result, and I think you (and a jury) can reasonably conclude that this is an accurate system time.
Jason.
I fully agree with ccutpd. There are many places where external clock times can be directly correlated to those created by the local system, and over an extended period of time.
Many web servers creating dynamic web pages such as active server pages embed the created time into the page, which can then be compared to the time the page arrived. Normally only 2 seconds apart at most.