I am googling for this info, and haven't found what I am looking for yet.
I want to determine the various date/time info on some files on a USB Flash Drive.
I have malware on a users flash drive. I am viewing it on a MAC (Apple Mac OSX), have enabled
Date Modified, and Date created on the finder.
I am trying to determine what date fields are available on FAT32.
As a test, I created a file on my mac, and later copied the file to a fat32 flash drive. I found the Date created retained the date/time I created the file on the mac, and the date modified showed when the file was written to the flash drive.
Based on this, I am 'assuming that since the malware date created and date last accessed are the same, that this is when the flash drive became infected.
(As opposed to the file having been created on a different machine and thenc opied to the flash drive, with nothing to reflect the date it was copied to the flash drive.
To sum this up, my goal is to determine,, 'When did the flash drive become infected.'
My assumption being, the date shown on "Date modifed, Date created' which are the same on the malware.
Sorry if this is confusing, no coffee yet this morning….
–Bruce D. Meyer
Have you read this
Also MSDN -
Both of these articles seemed to concentrate on time zones. Not which of the four MACB times are stored on fat32. The first article seemed geared more towards ntfs's supported times, not fat32. I've read several articles yesterday about fat32, but haven't found one the specifically covers which of the matcb formats fat32 is handling. NTFS and timezones are irrelevant to my problem. I appreciate the reply though. When I find my own answer, I'll post it here. I know my question wasn't very clearly phrased.
Thank you very much for your reply.
–Bruce
Bruce,
I'm not entirely sure that I follow what you're asking…maybe that's due to the inconsistency in terminology, I don't know.
Are you trying to determine the MACB equivalents for FAT32?
If this is what you're looking at, I found some things (found them via a trivial search) that may be helpful to you….
http//
http//
Speaking of the MACB format, have you tried using the TSK tools?
http//
Look towards the end of this link for directory table
FAT stores create date and time, modified date and time, and access date
On the Mares and Company article I was referencing the section further down the page. Specifically
Three types of timestamps
With operating systems such as UNIX, LINUX, WIN9X, Windows NT and others, file times (and dates) are stored as three separate items. These are (1) the creation time;(2) last write/modification time; and (3) last access time. Let's look at these.
"Creation time" is usually (but not always) the time the file was created. More specifically, it is the time when the file was first created or written to the disk. Note, then, that if the file was copied from another source, "creation time" would be the time the file was copied rather than the time it was first created. (Microsoft documentation roughly defines this as the time the file was created. A value of 0,0 indicates that the file system containing the file does not support this time member.)
"Last write/modification time" may take on many different meanings. Practically speaking, it means when a program last made any changes to the file. Even though Microsoft defines it as last write time, if you consider this to be the last modification time, all the behavior of the operating system relative to this time stamp seems to be correct. Last modification would occur when you re-opened the document, edited it in some way, and wrote the result back to the disk. This is the time File Manager and DIR show you. (Microsoft defines this as the time that the file was last written to. All file systems support this time member.)
Believe it or not, when an original file is copied (using the copy command or File Manager) both NT and 95 keep the original "last write/modification" time on the new file. However, the creation time is, by definition, the current time of the copy.
If that is not it I guess I did not read the question correctly. Following is the MSDN description of NTFS date and time stamps and the FAT32 differences
Folder properties with regards to the date and time stamps
If you create two new folders on an NTFS partition called D\NTFS1 and D\NTFS2, both the created and modified date and time are the same.
If you move the D\NTFS2 folder into the D\NTFS1 folder, creating D\NTFS1\NTFS2, then
D\NTFS1 - The created folder is the same and the modified stamp changes.
D\NTFS1\NTFS2 - Both the created folder changes and the modified folder stay the same.
This behavior occurs because, even though you moved the folder, a new folder is seen as being created within the D\NTFS1 folder by the Master File Table (MFT).
If you copy the D\NTFS2 folder into the D\NTFS1 folder, creating the D\NTFS1\NTFS2 folder, and the D\NTFS2 folder still exists (after having copied it)
D\NTFS1 - The created folder is the same and the modified folder time and date stamp changes.
D\NTFS2 - No changes occur because it is the original folder.
D\NTFS1\NTFS2 - Both the created folder and the modified folder changes to the same stamp, which is that of the time of the move.
This behavior occurs because even though you copied the folder, the new folder is seen as being created by the MFT and is given a new created and modified time stamp.
Note The design and behavior of the FAT file system is different with regards to the modified time stamp. On a FAT file system, the modified date of a folder does not change if the contents of the folder change. For example, if you have D\FAT1 and D\FAT2, and you copy or move D\FAT2 into D\FAT1, the created date and modified date of D\FAT1 remains the same.
Now I am not sure how Mac handles copying files from HFS+ to FAT32, other than from your test. Is that what happened on the suspect machine?
if HFS+ has attributes of access, attributes modified, backed up, contents modified, created in 1S intervals and FAT32 has time attributes of creation, modified, access (accuracy to day only) and (creation time and access date are only available when ACCDATE support is enabled) in 2S intervals there could be a slight discrepancy but should be relatively close.
Thanks for the links. I had already read the wikipedia entry, but not as deep as this time. Still, I think i find conflicting information. I don't think their is anything that specifically states FAT32 has these date/time attributes recorded. Here is what I see
Referencing
http//
At the very top of the page, on the right is is a chart with Green highlighting.
I see 'dates recorded'
Dates recorded Creation, modified, access (accuracy to day only)
(Creation time and access date are only available when ACCDATE support is enabled)
So that tells me, I should have all the MAC dates (Modify, Access, Creation) available on every file in a fat partition.
I was getting confused. I thought that chart referred to the original FAT, not Fat12, 16 or 32. I assume what it means is FAT in general, regardless of the implementation.
I viewed the flash drive with a windows machine, and can see all the date stamps I was looking for. What is confusing about that, is the Date created is later (by 8 days) that the date modified…
Anyway, I have my Answer. Thanks folks.
Keydet, I have looked at TSK under the original Helix (2008R1 and 2009R1) I am probably wrong, but it struck me as being unusable from the CD, rather something that needs to be installed on a machine with lots of hard drive space 9for images)
I used it as part of the SIFT during the SANS forensic @home class. The image we were provied to use with it was small enough to work with on the virtual machine. If I am correct, I would need to dedicate another machine to run TSK. Please correct me if I am wrong. If I remember correcvtly, it had one feature, that I really could use, and that was the Timeline generator.
–Bruce
I think the response from "Bithead"
"On the Mares and Company article I was referencing the section further down the page. Specifically…" Needs to be placed in the Wikipedia entry or at least referenced by it. It is very clear. I printed it out to refer to when i am trying to understand a difficult what "chicken or the egg" question, like what I am being asked to answer today.
Thanks for taking the time to provide such a clear and detailed explanation.
–Bruce
I viewed the flash drive with a windows machine, and can see all the date stamps I was looking for. What is confusing about that, is the Date created is later (by 8 days) that the date modified…
First of all…Ouch! Viewing the flash drive on Windows, without taking precautions, has a strong potential of modifying your data.
With respect to the differences you see between Created and modified dates, see
http//
I have looked at TSK under the original Helix (2008R1 and 2009R1) I am probably wrong, but it struck me as being unusable from the CD, rather something that needs to be installed on a machine with lots of hard drive space 9for images)
I don't follow. You can put the TSK tools on an analysis system…I did. The entire toolkit doesn't take up a great deal of room. A lot of the images I analyze are on external USB drives.
If I am correct, I would need to dedicate another machine to run TSK. Please correct me if I am wrong.
Okay. 😉
Seriously, I'm not sure where you're getting this information about requiring another system, etc.
First of all…Ouch! Viewing the flash drive on Windows, without taking precautions, has a strong potential of modifying your data.
I use tableau write blockers.
I don't follow. You can put the TSK tools on an analysis system…I did. The entire toolkit doesn't take up a great deal of room. A lot of the images I analyze are on external USB drives.
Both of my analysis machines are windows, I for some reason had thought TSK was linux only. I see at slethkit.org is is windows and linux. I'll have to get it installed on a windows machine then. I guess since I was using it in a linux VM (SIFT) I just assumed it was linux based.
Thanks for pointing that out. Hopefully it runs on a Win2008R2 64 bit OS.
–Bruce