Hi there,
I am viewing an acquired drive within EnCase. The drive originated from an XP machine and is formatted with the NTFS file system.
Whilst viewing some deleted files, I came across a set of files with strange timestamps, similar to the ones below
Last accessed 14/02/08 184952
File created 29/01/08 181453
Last written 08/08/05 104959
Entry modified 18/05/07 122727
The last accessed and file created seem feasible but I'm a little confused as to why the file created time is a long way after the last written time and entry modified field?
My initial reason as to why this is, is that the file has been moved/copied from another drive. If this is not the case, could this be the use of an anti-forensic tool, such as timestomp? What do you people think?
Secondly, can deleted file timestamps be relied upon? (as in the accuracy). Am I right in saying that any clusters related to a file within NTFS are set to '0', ie unallocated within the MFT and so timestamps would be left intact?
Many thanks,
howco21