Looking at the output of sbags, if i needed more than i already had date wise, i would use the created and last accessed dates to corroborate the info i had in fileurns.cache, lnk files, etc in order to
Interesting, and thanks for answering my question directly.
If I may…on Vista+ systems, the last accessed dates on file are not updated when the user accesses (opens, views, etc.) them. This is the default, out-of-the-box setting. As such, these should not change when the user accesses the files.
Also, the embedded time stamps are stored in DOSDate format, which has a granularity of 2 seconds. Given that the NTFS file system time stamps have a granularity of 100 nanoseconds, how would you address any disparity between the times?
true on last accessed but i still get the other 2 which can go a long way for the cases i do forensics for (CP cases primarily). i usually don't trust last accessed too much in general because so many things can affect it.
i think the easiest thing to do re the accuracy of the timestamps is to explain the differences up front during the course of direct testimony. explaining the datetimes with something like "this is accurate within 2 seconds due to the way this particular date time is recorded by Windows" should, in my mind, satisfy things. that way the door is essentially shut for cross examination. Then again, that explanation could be saved if it comes up in cross and would serve to possibly set the defense back a bit! =) Following up with a bit of a background on when DOS was born vs NTFS and how NTFS is a more robust file system, etc would round out the commentary.
the necessity of the more accurate timestamps would also be impacted by the type of case as well. If i can show a file showed up within a 2 second window and was acted upon soon after that via lnk files, playlist history, etc, i dont see people getting hung up on the missing nanoseconds on either side of the transaction. most people on a jury (or a lot of computer 'experts' as determined by the court) wouldn't have a clue what a 100ns resolution means anyways. =) getting into a rather technical explanation like that may serve to confuse people vs help clarify a timeline.
i usually don't trust last accessed too much in general because so many things can affect it.
The same is true for the last modification dates, with respect to what's displayed in the BagMRU artifacts.
Greg,
As per ShellBags detailed structure, you may want to have a look at the following sources
Thanks for all of that information.
What's very interesting is that several of the tools that you mentioned are out of date…they were originally written, additional work in the area has been done and information updated, but the tools have not.
I'm beginning to understand that you, as well as others, are not interested so much in the time stamps from the shell items that comprise the BagMRU artifacts.