Hi all,
I'm currently performing my first ever image analysis using FTK 1.81.6 - It's the demo version.
I've come across a host of files with blatant tampered dates. For example
shapes.gif
Created date 25/02/2007 132800
Modified date 22/07/2000 090100
Accessed date 25/02/2007 000000
My question is there an application which can tell you what the dates should have been before they were tampered with?
Thanks
Nathan
Hmm…
Can you tell us why you think there is blatant tampering??
Thanks
-=Art=-
Why do you assume the dates have been tampered with? I can easily explain the dates you are seeing. Perhaps you need to research the circumstances under which MAC dates and times are changed, in particular in relation to files which have been copied.
My question is there an application which can tell you what the dates should have been before they were tampered with?
No. The time stamp fields hold only one time stamp – overwrite it, and it's gone – there's no history. If something else can provide you with the history – like backups or logs – it would be possible, but you can't rely on such log to exist in general.
how can you have a modified date before the created date?
There are a number of ways this can happen, but it really depends on various factors…what is the OS and file system (as well as versions)? Files can have odd-looking date combinations if the file was moved, copied, extracted from an archive, etc. There's also time-stomping…the use of timestomp.exe leaves easily identified artifacts in the MFT, but other tools and malware will copy creation/modified dates from other files on the system.
Thanks for the all replies people.
Having the creation date to be greater than the modified didn't quite make sense. The actual image itself has been put together by one of my lectures so I'm not entirely sure which operating system he could have used. If I were to guess I'd say Win XP or Win 2003. However I can confirm it uses a FAT12 file system.
I didn't realise timestomp left such artefacts behide. Could you please advise what I should be looking for.
Thanks
Whilst timestomp is an option I would suggest it is highly unlikely. I have not personally encountered it's use in the wild at all. On the other hand I have seen time configurations like those you outline in just about every job I have done to date. Take a close look at what Patrick4n6 posted and the first few sentences of Keydet89's posting too.
Paul
Paul is spot on. Always apply
If its a NTFS partition, look for SIA {Standard Information Attribute} and FIA {File Information Attribute}.. There you can see what actual dates were even if any anti forensic tool like timestomp has been used.
Cheers,
Kush Wadhwa {kushwadhwa@gmail.com}
Hi all,
I'm currently performing my first ever image analysis using FTK 1.81.6 - It's the demo version.
I've come across a host of files with blatant tampered dates. For example
shapes.gif
Created date 25/02/2007 132800
Modified date 22/07/2000 090100
Accessed date 25/02/2007 000000My question is there an application which can tell you what the dates should have been before they were tampered with?
Thanks
Nathan