Hi, everyone!
I tried doing research on this topic, but I can't find anything useful.. I'm working on a case right now where the Accessed and Modified dates don't make any sense.
As of 4PM on 2/12, we had possession of the laptop. It was imaged using DCFLDD and FastBloc, then I was given the image on an external hard-drive.
The weird thing is that when I look at the time-stamps of some case-critical files in FTK Imager, they say they were accessed and modified on 2/12 at 1030PM. This doesn't make any sense, because that would have been when the hard-drive imaging was either almost done or completely done, and the person who uses this laptop wouldn't have had access to do anything to it.
I know there is software out there that can change date and time-stamps, but it doesn't make sense to change the date for the future. If one of these was used, would there be evidence of that somewhere? HR very much so wants to have a timeline of events.
Or could it be something weird with the FTK Imager? I admit that I'm not terribly experienced with it yet, because we just started moving out of an all-Encase environment.
I know that according to the Prefetch folder, CCleaner was used on the system.. Could that have done it?
Any help would be greatly appreciated! -D
CCleaner does not alter file time stamps - you can download it and test it for yourself! wink
There are a ton of possible explanations. For a start…does the CMOS time setting or the operating system time-zone setting offer any clues? In fact, what operating system are you looking at? XP? What does the user assist entry for the Date & Time applet in the control panel say? Where was the laptop/who was in possession of it at 1030pm on the day in question? Do the acquisition MD5 hashes match? etc…
Have you checked your time zone setting to make sure they are accurate? Also, your analysis machine, is that time accurate? You can always check for times in the registry to see if anything was changed. How long after the subject had the machine to you make your image?
The weird thing is that when I look at the time-stamps of some case-critical files in FTK Imager, they say they were accessed and modified on 2/12 at 1030PM. This doesn't make any sense, because that would have been when the hard-drive imaging was either almost done or completely done, and the person who uses this laptop wouldn't have had access to do anything to it.
Well, I guess that would depend on the files themselves, as well as how the acquisition was performed. You mentioned dcfldd and a write blocker…I would assume then that the hard drive was removed from the system and acquired that way.
I'd suggest checking the timezone settings of the system, as well as of the forensic application that you're using. EnCase and ProDiscover can be set to display the timestamps based on the settings of the analysis system.
I know that according to the Prefetch folder, CCleaner was used on the system.. Could that have done it?
That would depend…when was CCleaner last run? The .pf file will tell you that. You can also determine who ran it from the Registry.
Thanks a bunch, everyone who offered suggestions!
I got an idea from what you said and did a little digging to find that the FTK Imager automatically displays everything in UTC - which actually makes the weird time-stamps around 230PM, since we're PST.
I'm glad that it ended up being something simple. -) I will, however, take note of all your suggestions as things that could be checked in later cases.
Again, thanks everyone!
Timezone is one of the very first things that needs to be addressed in every case.