It is based on testing though
and a number of the instructors will demonstrate the time rules during the class (whilst Im not an instructor yet I do demonstrate this in the link file section for example)
It may be based on some form of testing, but as long as the test protocol isn't published, it isn't good enough. What sources of errors were present during the test? How was testing managed to reduce those errors to minimum? Were null tests performed? (In this case, this probably includes tests where the copy didn't actually take place, but all other motions up to then were performed. Consider back in XP days, just moving the cursor over a Windows shell file icon caused its last access time to change. What similar source of errors and misinterpretation are present today?)
All forensic sciences need to be sciences – and that means designing, performing and publishing tests in a manner that follows scientific principles. (And one of those is that a test should be described in sufficient detail that it can be repeated by someone else.)
When that hasn't happened, the claim of junk science cannot be adequately countered. That's where a number of forensic fields have ended up, and where organizations such as FBI and others have to back off from their earlier statements used and accepted in court, and in some cases helped to produce convictions on bad forensic science. Those are usually the 'wet forensic science', most or all of which are based on medical science. And that's far more science-based than computer forensics has been so far.
See the 'Rules of Time on NTFS' that I mentioned before that's much closer to what I expect. It's not great on sources of errors, and I have some additional issues with it, but those are more room for improvements than total failures.
Perhaps the SANS results are from some student paper? If so, we're on better grounds – we have something to read and criticize. But if I recall, the results were just published on the SANS blog with no further details. That's not how computer forensic science should be done. That's not what forensic analysts should be trained to base their work on.
I dont know if the rules have even had to change over the years.
The SANS results changed some years back, I recall. (compare https://
Please note this includes Windows Shell, the 'GUI', not just NTFS or other file systems. If a computer has installed some other shell software (CairoShell? SharpEnviro – probably dead by now? WinNc?) it's up to us as forensic analysts to identify this, and to have test results that show what traces and artifacts user-level copying produces. Interpreting artifacts from WinNc as if they were from Windows Shell may not be a good idea.
