Forums
Main Category
General (Technical,...
OLE Metadata + File...
 
Notifications
Clear all

OLE Metadata + File System Metadata

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jprowe 17 years ago
7 Posts
5 Users
0 Reactions
967 Views
RSS
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 29/08/2008 9:46 pm  

does anyone have an idea as to why the OLE Metadata and File System Metadata will report different times for the same file?


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
29/08/2008 10:07 pm  

does anyone have an idea as to why the OLE Metadata and File System Metadata will report different times for the same file?

…because the times are different?

Seriously.


   
ReplyQuote
pronie2121
 pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter 29/08/2008 11:14 pm  

Even if it is the same document how would one show it as being created at this time and the other show it being created at a different time?


   
ReplyQuote
u2bigman
 u2bigman
(@u2bigman)
Eminent Member
Joined: 17 years ago
Posts: 41
30/08/2008 12:57 am  

You might download timestomp, run

timestomp <filename> -v

which will give you the MACE values. Nice thing about timestomp is that it does not change any of the values. Note that there are FOUR timestamp values… none of which is worth the electrons used to save it. But they are better than nothing, I guess.


   
ReplyQuote
 gmarshall139
(@gmarshall139)
Reputable Member
Joined: 21 years ago
Posts: 378
30/08/2008 1:35 am  

One possibility is that the file was moved from it's original location.

The file is created and saved in it's original location. This establishes the "created" time in the metadata. The MFT entry will show an identical created time. If the file is moved, a new MFT entry is created for the new location. It will have a "created" time indicating when the file was created in that location. Even though it may have the same file name it is a different and unique file as far as the MFT is concerned. At this point the created times for the MFT entry and the file meta data are different.

Other apparent anomalies are possible when dealing with metadata. These can usually be resolved by logically thinking through what the data really means.

In one case I was involved in an issue was made of some files bearing a metadata printed date that preceded the created date. Sounds like a problem, but there is a simple explanation. The file in question was created from another file (Save As). The first file was printed. The second never was. The created time would represent the time that the file was "Saved As" something new. Since the new one was never printed it retained the printed time from the original file.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
30/08/2008 5:03 pm  

Even if it is the same document how would one show it as being created at this time and the other show it being created at a different time?

Sure…Occam's Razor…the file was copied from one location to another.

Check the other metadata within the document…does it correspond to info on the system you're examining. Check the Registry info on the system…are there any indications of a user opening the document, and if so, when?


   
ReplyQuote
 jprowe
(@jprowe)
Active Member
Joined: 18 years ago
Posts: 19
30/08/2008 11:00 pm  

The following explanations should help

Understanding File Timestamps
http//www.pinpointlabs.com/wordpress/2008/08/13/understanding-file-timestamps/

Preserving File Timestamps
http//www.pinpointlabs.com/research/preserve_file_timestamps.htm

Respectfully,
Jon Rowe
jon.rowe@pinpointlabs.com


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: