There are several shareware programs which allow you modify created/modified/accessed times through command line programs not the clock.
I am interested in one in particular.
Nirsoft Bulk File Changer claims the following
BuilkFileChanger is a small utility that allows you to create files list from multiple folders, and then make some action on them - Modify their created/modified/accessed time, change their file attributes ( Read Only, Hidden, System), run an executable with these files as parameter, and copy/cut paste into Explorer.
The system works with any version of Windows starting with Windows 2000.
The only limitation seems to be that you cannot set the date/time before 01/01/1980 as its a limitation of the file system on Windows.
Does anyone have any experience with this program?
How would one discover if this program or another like it has been used?
I am involved in a case where many thousands of unrecognizable files have appeared on my computer. Just as a few examples, I do not search or need a workman's comp attorney, nor do I care about the secretary of state in Ohio, nor do I have any interest in the club scene in London. There are dozens of foreign language sites and these files came into my system by the 1000s with identical created/modified/access times. Virtually all have nothing to do with my case.
What causes windows to overwrite? Would a flood of 1000s of new files cause overwriting?
The Windows FILETIME structure is in 100 nanosecond intervals.
So if a tool like this was used you might file all the times are the same to the exact nanosecond. In real live you can't create 1000s of files in 100ns. So having impossible set of file create times would be an indication of something strange. As would times in the future or times before the installation of the O/S (depending on how the files got on the machine).
Note that different file systems have different time resolutions. e.g. only 10ms on FAT.
See,
http//
http//
Interesting article I was reading today coincidentally, mention of timestamps manipulations there too.
There are many different tools that can manipulate timestamps searls, why that one in particular?
I am involved in a case where many thousands of unrecognizable files have appeared on my computer. Just as a few examples, I do not search or need a workman's comp attorney, nor do I care about the secretary of state in Ohio, nor do I have any interest in the club scene in London. There are dozens of foreign language sites and these files came into my system by the 1000s with identical created/modified/access times. Virtually all have nothing to do with my case.
What causes windows to overwrite? Would a flood of 1000s of new files cause overwriting?
I'd suggest that there really isn't enough context with which to do much more than speculate wildly.
Where, on the system, have the files appeared? You also mention "sites"…are you suggesting that this might be the result of web surfing?
Honestly, there's not a great deal anyone can be expected to provide in the face of, "what is this file?"…if there is some context (i.e., file paths, etc.) that you can share, that might be a bit more helpful.
Thanks, and good luck with your case.
Interesting article I was reading today coincidentally, mention of timestamps manipulations there too.
There are many different tools that can manipulate timestamps searls, why that one in particular?
Thank you all for your responses.
Adam, could you share the article with me? Is there a link?
Nirsoft was chosen because they did an excellent job of explaining what their program did. In fact, it would not have to be that one in particular.
Passmark, your suggestion regarding the impossibility of 1000s of files appearing in an instant was very helpful.
What would be the effect of the introduction of (in one instance) 3200 files with an identical creation date on the windows xp operating system?
What would be the effect of the introduction of (in one instance) 3200 files with an identical creation date on the windows xp operating system?
The effect is that there would be 3200 files on the system with identical creation dates.
Okay, kidding aside, something had to happen for them to get there. Are they all in one place? Are they scattered throughout the system?
Did you create a timeline of system activity?
Did you correlate as many of the artifacts related to program execution from the system as you could find?
iecompatmyfuncards.com
iecompatmovistar.com.co
iecompatmousebreaker.com
iecompatmol.fi
iecompatzita.be
iecompatsonymusic.co.jp
iecompatsonara.net
iecompatskysports.com
iecompatskatteverket.se
iecompatsebank.se
iecompatpbase.com
plus more than 3200 more
So all were added to ie.
The timestamps are identical.
I ran a timeline by creation date. Of course, all were identical.
The computer which had been in operation since 2003 never had this kind of mass file introduction until the year of the incident.
iecompatmyfuncards.com
iecompatmovistar.com.co
iecompatmousebreaker.com
iecompatmol.fi
iecompatzita.be
iecompatsonymusic.co.jp
iecompatsonara.net
iecompatskysports.com
iecompatskatteverket.se
iecompatsebank.se
iecompatpbase.com
plus more than 3200 more
So all were added to ie.
The timestamps are identical.
I ran a timeline by creation date. Of course, all were identical.
The computer which had been in operation since 2003 never had this kind of mass file introduction until the year of the incident.
Just to be clear - when you say creation date are you talking the same second or the same date?
Same second.