format date

Lucky for you I am between investigations so I accepted your challenge. Go to the X-Ways web site and download WinHex which is free for the trial version and will do what you need. Unzip it and put it on a flash drive. Now get yourself a forensic computer and plug in your target drive as an secondary drive such as D. I used my FRED and connected it to the Ultrabay write blocker. Now plug the flash drive to the computer and copy the folder to your C drive and run the executable. You don't have to install it. Choose Forensic Interface and then go up to tools and choose the open drive command. Choose the drive letter, if you don't know what it is use Windows Explorer to find it and open the drive. The files that are left sitting on your formatted drive will all have the same time stamp from when it was formatted.

Eyespy - will that not just present the BIOS date of the machine that did the format - not the actual date (if you get my meaning !! ;)) ? I presume that this date wouldn't hold up to scrutiny ?

Eyespy - will that not just present the BIOS date of the machine that did the format - not the actual date (if you get my meaning !! ;)) ? I presume that this date wouldn't hold up to scrutiny ?

Like nearly all dates in computer forensics…..
(hence to be taken with more than a pinch of salt etc)

hi everybody,

i just wanted to know, when is it possible to know the date of formating the hard disk, the disk with me is fully formated and not in use presently, it is clean. how to know what could be the date of format of hard disk.

krishna m

Depends.

Can you clarify that it was formatted with a file system.

If so, which file system?

If not, and everything is wiped, then there are not timestamps to be had.

If it's NTFS, then look at the creation date of the $MFT file itself. That's the correct date/time, usual disclaimers about malleability of computer date/times applies.

Something that may (or may not 😯 ) be of use
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2134

jaclaz