hello all …
im not a professional in computer forensic I specialized in mobile forensic !!
case is some one change ( created and modified and accessed ) date for a important file and they want to know if this happend or what and they want to know the real date for that file !!
i do some researches and i read about $MFT ….. the Questions is
1- does $MFT keeps the real date for anyfile !! even if some one make a fake date on windows enviroment !!
2- if the $MFT keeps the real date for file !! It depends on what and how it works ؟؟
3- looking in $MFT dir is this a true step or what !! if not is there anyway to know when that person make a fake date edit for that file !!
thanx for all
hello enybody here ???
I am not sure to understand, to be more exact I am pretty sure I don't understand the questions.
If you change some data in the $MFT entry, than that data is changed and remains changed.
It is entirely possible to do that and of course if you do that properly you wouldn't later find any trace of that in the $MFT.
Example
https://
https://
Now, if it was done in a non-proper way, then maybe some traces can be found.
jaclaz
okay let me explain the case agin
im on windows 8 > i created .TXT file in 1/10/2015 > some one used some tool to make a fake date for the file i created from 1/10/2015 to 14/11/2015 > does the $mft record the real date for the file or fake date ??
thats what i want to understand
and thanx for ur replay
okay let me explain the case agin
im on windows 8 > i created .TXT file in 1/10/2015 > some one used some tool to make a fake date for the file i created from 1/10/2015 to 14/11/2015 > does the $mft record the real date for the file or fake date ??thats what i want to understand
and thanx for ur replay
Yep ) , but - again - the issue is with the "some tool".
A given "some tool" may not change a date properly (and thus it is possible to find evidence that a date has been "artificially" modified) while "some other tool" may do it properly (and in this case you won't find any evidence in the $MFT.
The little program by joakims I gave you a link to is an experiment to see if is actually possible to properly change a file date/time without leaving traces in the $MFT (and yes it is possible) exactly because other tools while apparently changing the date managed to do so in an incomplete (and thus detectable) way.
Each file in the $MFT has 2 (or in some cases 3, 1 $STANDARD_INFORMATION + 2 $FILE_NAME) sets of MACE timestamps.
Some programs may change only the first set, and/or the way they change the timestamp of the second set may cause a record to be written in $Logfile
The original way of changing the 4 MACE values, as implemented in timestomp, was to use the NtSetInformationFile function inside ntdll.dll and the FILE_BASIC_INFORMATION structure in FILE_INFORMATION_CLASS. That will let you change all 4 values in the $STANDARD_INFORMATION, but not in the $FILE_NAME attribute. I therefore added support for that in SetMACE to make it more interesting. The first version (v1005) implemented the file move trick, which sets the timestamps then move the file to a different folder before moving the file back again and resetting the timestamps. That effectively changed both attributes timestamps. However, evidence of such activity could be found in the $LogFile. Later in the next version (v1006) I added support for writing the $FILE_NAME timestamps directly to the physical disk, and eliminating the need to move the file around to set $FILE_NAME timestamps.
Q&A
Q1 Is it possible to change the date/time of a file in the $MFT without leaving traces?
A1 Yes.
Q2 Do ALL tools leave NO traces of date/time alteration?
A2. No.
Q3 If I can find no traces of alterations does it mean that the date/time has not been changed?
A3 No.
jaclaz