if i have file on drive d/ which has created time 1-1-2013 . then it has been moved on the same harddisk . but the created time is changed after copying or moving for example 17-11-2013 … how can i get the first time again through forensics…
windows xp
if i have file on drive d/ which has created time 1-1-2013 . then it has been moved on the same harddisk .
Okay, XP…let's assume NTFS. A file was created on the D\ volume, and then you say, "…moved on the same harddisk" - assuming that you mean within the same volume (i.e., D\), then the file keeps the creation date, per http//
…but the created time is changed after copying or moving for example 17-11-2013 … how can i get the first time again through forensics…
Well, you have to pick…copied or moved. Per http//
There are other options available to you, as well…specifically, Windows shortcut/LNK files and possibly shellbag artifacts. The shell items that make up the shell item ID lists in LNK files will contain DOSDate format time stamps within the various elements of the shell item ID list. Also, the header of the LNK file will contain the MAC time stamps from the target file…all that is required is that the user have double-clicked on and opened the file.
With shellbags, on local hard drives, Windows XP had a propensity to harvest a directory listing when the user initiated an action that created a shellbag artifact for a folder; if you were so lucky, you could find the file name in there, and extract the creation date from the shell item…assuming that the user took the actions that would result in the shellbag artifacts.
However, you would only be able to identify the file by name. None of the artifacts include hashes of the file, and the addition of the MFT file reference number to the shell items did not occur until Vista.
Hope that helps.