Hi All,
has any one seen instances of documents/images in an windows xp environment whether current or previously deleted, or archived files which ONLY have a modified date, but NO created date and NO last accessed time, i.e. these fields are null.
What would be the explanation for this case?
Thanks all.
Are these files in an archive file, such as a Zip file? For example, a Zip file only contains the Modified Date for the files contained within it.
Assuming you are using EnCase and you have zip files mounted then you will only see the Modified Date field populated.
Alternatively a tool, such as TimeStomp, may have been used to remove date and time information.
To find out if timestomp was used to "remove" the timestamps effect the following
(1) Open a command prompt box.
(2) Go unto the directory in which sits your suspect file.
(3) "dir filename.xxx"
If the date is shown to be 01/01/1601 the file was timestomped. Alternatively, you can run timestomp with the "-v" option and see the entire MACE suite. All of which would be set to 01/01/1601.
Note that the timestamps are not removed, erased, or beamed up. Rather they are just set to a value outside the parameters, as it were.
Are these files in an archive file, such as a Zip file? For example, a Zip file only contains the Modified Date for the files contained within it.
Assuming you are using EnCase and you have zip files mounted then you will only see the Modified Date field populated.
Alternatively a tool, such as TimeStomp, may have been used to remove date and time information.
Hi Guys,
Thanks for your prompt replies. The question was actually posed to me but all the client had was a print out of a table containing filename, Cr Date, Mod Date, Acc Date - so I was wondering if could this be possible.
I thought the answer could of been more sinister - but I think that these files might be archived in zip containers. Also not having a sample of the data I couldn't confirm.
So thanks again guys.