Hello,
Is there a way to verify whether a file was modified after its initial creation, provided the checksum or hash sum of the original file is not avilable?
Suppose we know only the creation time, is it possible to check the integrity of the file content by cross checking the file creation time?
To the best of my knowledge, a user with sufficient privileges can change the file creation time. In such situations, is there a way to verify whether creation time of the file was manually modified?
Thanks & Regards,
Vishnu
You could try comparing the date/times in the MFT record, specifically in the Standard Information Attribute against the File Name attribute for a discrepancy. This is a possible indicator of timestomping.
Analysis of related link files can be useful too. Check here
Paul
Timestomping, in and of itself, does not apply directly to the integrity of file contents. However, someone can modify the content of a file, and then change the last modification time of the file through open APIs. I would second Patrick's approach regarding MFT attributes, keeping in mind that by default, some versions of Windows do not update file last access times.
Link files are a good way to look for indicators, and the Registry can also hold a wealth of information. For example, consider the Trojan Defense…I have used information in the Registry to show that the user profile was used to open/access/view the files in question. While perhaps not 100% definitive with respect to your question, you may find some very strong indicators.
I am doing a science project so am very new to this, we have been given a usb stick with some data on it and have to verify the integrity of this data.
So can i please ask for help with almost the same problem, but with a twist,
A file was removed from a faulty GPS system last November, the data was then copied onto a usb stick and the original gps was returned to the manufacturer,
The manufacturer supplied a different type of gps by varient, same hardware different software, the old gps data were copied back to the new GPS and that was it.
The usb data was modified for printing purposes and re-saved without an original save prior to saving.
I have analysed the gps file with winhex and cannot seem to get an exact Big Endion when converted i get different dates from almost all the data.
There is no previous history apart from the copied data, there are no links or software attributes for tracing continuity on any computer system to date and the emphasis is pointing to (manufactured data)
Is there anyway i can get a date when this file was created, possibly modified, or potentially a possibly hidden creation date or anything else to confirm the data has not been manufactured.
Any help would be appreciative as this is a science project.