I've acquired a HD of a Win XP SP2 system NTFS. About 95% of all the files within one profile has modified dates all within 1 second of one another as if a program scanned and reset the modified dates or actually modified the files. All the other profiles are unaffected.
The access dates however are all listed as previous dates than the modified. (E.g. Modified = 1/1/07, Access = 12/12/06) I've tried defragging, group copy/paste, anti-virus scan, and some other stuff but most of those tests only affect access dates, not modified ones.
Question Does anyone know of a system process or tool or any reason, that would affect the modified dates the way that I've described?
Thanks guys!
I could be (and probably am) way off but was this on a RAID array? A fellow student and I recently realized that the parity bit added by RAID can really mess with hashes and the thought hit me that it might also affect access dates without changing modified?
I'm just a beginner though so feel free to ignore me if I'm way off base here. (I'm probably mangling the K.I.S.S. concept on this one hehe)
I'll do some testing, but did you test the date/time changes if an entire user profile is copy/moved from one PC to another (or even accessed) via System Properties|Advanced|User Profiles?
Also, have you tested un-zipping an archive, and whether it retains the original date/time stamps or changes MAC. (I did a quick test with izarc, which retained the modified date/time, but has new created and accessed date/times…)
You've probably looked, but is there any sign of software, such as febooti filetweak or Directory Report, that can be used to change dates/times for modified only (not sure why anyone would though).
Finally, was the system BIOS date/time correct?
I could be (and probably am) way off but was this on a RAID array?
Not a RAID. I need to follow KISS a little more myself. )
I'll do some testing, but did you test the date/time changes if an entire user profile is copy/moved from one PC to another (or even accessed) via System Properties|Advanced|User Profiles?
If the entire directory is moved then the access date of the root folder that was touched would modify but everything else should stay the same, provided it is transfered to the same partition. This profile looked like ti belonged on the disk.
You've probably looked, but is there any sign of software, such as febooti filetweak or Directory Report, that can be used to change dates/times for modified only (not sure why anyone would though).
Nope, nothing like this.
Finally, was the system BIOS date/time correct?
The HD was given to me outside of the case.
I can try the ZIP thing and post when I get some results. Thanks for all the good ideas.
I've acquired a HD of a Win XP SP2 system NTFS. About 95% of all the files within one profile has modified dates all within 1 second of one another as if a program scanned and reset the modified dates or actually modified the files. All the other profiles are unaffected.
The access dates however are all listed as previous dates than the modified. (E.g. Modified = 1/1/07, Access = 12/12/06) I've tried defragging, group copy/paste, anti-virus scan, and some other stuff but most of those tests only affect access dates, not modified ones.
Question Does anyone know of a system process or tool or any reason, that would affect the modified dates the way that I've described?
Thanks guys!
Yes, There is a tool which is called as TIMESTOMP, which can be found as an Anti-forensic toolkit, u can search more at Metasploit site's under Anti-forensic projects.
AFAIK, it is possible to use this above tool to be run / called via a script to change the MACE attributes under the NTFS FS.
Hope this answers your query!
GoodLuck.
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA. ITIL.MCSE.MCSA.MCP
I've acquired a HD of a Win XP SP2 system NTFS. About 95% of all the files within one profile has modified dates all within 1 second of one another as if a program scanned and reset the modified dates or actually modified the files. All the other profiles are unaffected.
The access dates however are all listed as previous dates than the modified. (E.g. Modified = 1/1/07, Access = 12/12/06) I've tried defragging, group copy/paste, anti-virus scan, and some other stuff but most of those tests only affect access dates, not modified ones.
Question Does anyone know of a system process or tool or any reason, that would affect the modified dates the way that I've described?
Thanks guys!
Also, if time permits, u can try to build up a test enviornment to check WinRAR and Winzip, AFAIK, the former supports the NTFS ADS , however the WinZIP doesnt.
I am not sure whether the Selected / described user acc. profile was copied over or restored from an Tape Archive / or even an ZIP/RAR archive, which was restored recently, and since the time interval of 1-second between the files.
Hope this may help you too!
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA. ITIL.MCSE.MCSA.MCP
Has NTFS 'update last access times' feature been disabled?