I'm concerned in a case I'm working because the client(an attorney) wishes to rest part of the case on the MAC times of a set of specific files. We all know that these can easily be modified. I'm comfortable using MAC time as a component of an investigation(e.g. when used to correlate with other data such as event log entries, etc.), but I wonder about the value of MAC times as the sole piece of evidence. I'm going to inform the client of this weakness, but I'm not sure what else I can do. I was thinking of looking at the MAC times of the apps associated with the files of interest, but they are common apps(MS-Office) and the computer had been used on a daily basis for some time.
Anyone had a case like this? Any tips?
Thanks ahead.
A
All you can do is inform them…beyond that, it's out of your hands. Educate your client, but ultimately what they do is up to them.
Yeah. That's basically what I'm doing. Unfortunately, I'll be the sucker on the stand that has to answer "yes" when the opposing side asks "Is it possible to modify these access times?" (
How many other times have you testified?
Has your client prepared you for certain lines of questioning?
I wouldn't go into court thinking "ill be the sucker"…..
Times on a ton of things can be changed and on the flip side, your client would/will ask the same questions of the other side and should get the exact same response. If there a different response given you can clarify your point on redirect.
There are a lot of things that you can do to strengthen your case.
Was the OS set to synchronise with a time server - are there event logs showing a sync before and after the relevant mac times. What about confirming the accuracy of the system clock using hotmail embedded ct times.
Do the mac times correlate with the internal meta data for any ms office type documents.
Are there any entries in the outlook journal that can be used to confirm when a file may have been opened. Ditto any entries in internet history
What about lnk files do they show different mac dates than are currently on the files.
You may not be able to show that the mac dates on the files have not been tampered with, but you may be able to paint a very strong picture to show that they have always been as they are now.
AC,
Interesting…you never said that you'd be the "sucker on the stand". I'd refuse, if I were you…you're basically telling us that with what the attorney wants to go on, the case is set up for failure.
Recommend strongly against the course of action, and if he/she pursues it…I wouldn't set myself up to be eaten alive.
H
Times can be vital in a number of circumstances. You'll never say with absolute certainty that they are accurate. All the attorney's I've explained this too have understood it. What I do is establish their validity to the greatest degree possible.
Paul's suggestions are great, the hotmail "ct=" times are the best I'm aware of, because it can be argued that they are accurate and that most people don't even know they exist. Weather radar images from the internet cache are also good. They have the time right on the image (most are updated every 3-6 hours), and while it won't be down to the second, it's within a few hours. I have also been told that ebay pages have embedded time stamps, though I've never researched it.
What is necessary is to tie the facts or events established by the analysis to known facts/occurrences independent of the computer.
You also mentioned that the files in question are Office files, so the MAC times are not the only thing you have. You have metadata which will include dates/times (created, last saved, last printed) that can be used to further establish the accuracy of the MAC times.
Sure, those could be tampered with as well, but you are building the case one block at a time. How the "possible" compares with the "likely" will differ in every case, and the judge or jury will determine this for themselves.
Great ideas! I was also thinking that MSWord docs create temp files(beginning with a ~) when docs are opened. I'm going to try to find those also.
Thanks for the suggestions!
A
One of the test I usually do in these cases is to check the access time to the file timedate.cpl, since when you manually change the date in your Windows system that file shows the change.
When modifying Office files, also MSGR3ES.dll and MSO3082.acl can show incongruities in their MAC times.
If it was the BIOS that was "touched" for a date modification, then evt files should show "jumps" backward and forward in time.
You'll never be able to say the MACs weren't modified, but the more evidences you find to prove no manual modification of time/dates were done, the better.
By the way gmarshall139… what does this "hotmail ct times" method consists in? I'd never heard about it and sounds interesting.
