File created date issue

Greetings,

If you have access to the computer that was used to create the documents, there will be artifacts indicating that the clock was changed.

If you have access to the file system, you could run Mark Menz's MFT Ripper and check the suspect file's inode against other files that were created around the same time. The inodes are allocated sequentially, so if you sort the files by creation date they should also line up by inode value. If they don't, it is a strong indication that the system's time was modified.

(Someone please check me on the above. I cannot find the paper or blog post describing this and am working from memory.)

-David

The search indexing system for Office docs has a log file. I can't remember off the top of my head where it's located, but if you find non-sequential dates in the fast find indexer log file, that can indicate changing of the system date to falsify metadata.

Kovar, the record numbers are created sequentially.

You're explanation is good, I'd like to expand slightly though.

If you delete a file (entry 1000) and it's entry is reused by a new file dated last year, the inconsistency in the sequence of creation dates will be obvious. The record number will still be 1000 though and will not have incremented as it is using entry 1000 of the MFT.

If you were to create a new file and it takes a new slot in the MFT (say entry 9999) and it's created date is some time last year, again, the inconsistency will be obvious.

You will never know for sure whether the user has put the clock back. He does not have to do it to change the dates, just a small software can change dates as you wish.

So, even if you guarantee that he has not played with the computer clock, there is still the possibility that he may have changed it anyways.