Forums
Main Category
General (Technical,...
Recovered backups a...
 
Notifications
Clear all

Recovered backups and timestamps

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by craig 16 years ago
5 Posts
2 Users
0 Reactions
615 Views
RSS
 craig
(@craig)
Eminent Member
Joined: 16 years ago
Posts: 23
Topic starter 27/01/2010 4:51 pm  

I have a case where the files in question have been recovered from a backup. My question is, is there any way a recovered files documents can change from backup to recovery i.e. Timestamps?

I do not at this moment know the software used, but I am guessing is it not bespoke. Also from my research I have used NTBACKUP and to my surprise the timestamps do not change when recovered(I know the timestamp of the MFT on the computer would, however the original computer is gone, hence the backup).

Does anyone know if there is a possibility of the timestamps would change? From the backup, to when it is recovered? And any other way to verify the timestamps?

Much appreciated,
Craig


   
Quote
pbobby
 pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
27/01/2010 10:17 pm  

First thing is to identify the backup type and product used.

In the case of NTBackup, the following artifacts/timestamps apply

FOR FILES

1. File Created and Last Written remains the same
2. Last Accessed and Entry Modified are changed to the time they were restored
3. The Archive bit is set on the restored files
4. The Hash values are the same

FOR FOLDERS

1. File Created remains the same
2. Last Accessed, Entry Modified and Last Written are changed to the time they were restored
3. The Hash values are different

Please note, 'changed to the time they were restored' is not one specific time, the process of restoration may take some time and so these values are at the time a specific action was made, not the overall restoration time of the entire backup.


   
ReplyQuote
 craig
(@craig)
Eminent Member
Joined: 16 years ago
Posts: 23
Topic starter 28/01/2010 3:28 am  

Thanks for the reply pbobby. Those are exactly what I am looking for.

I can't seem to replicate the results however can you send me the reference/book where the information came from? I would like a reference for court.

Thanks again!


   
ReplyQuote
pbobby
 pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
28/01/2010 11:26 am  

This came from my own testing - in restoring from a backup and comparing timestamps pre and post.


   
ReplyQuote
 craig
(@craig)
Eminent Member
Joined: 16 years ago
Posts: 23
Topic starter 28/01/2010 3:21 pm  

Weird, I ran the backup and recovery on some files and the timestamps where identical (using NTBACKUP).

You got that the 'Last Accessed and Entry Modified are changed to the time they were restored'.

Would it be the OS or the actual backup application used that changes/keeps the timestamps?


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: