Hello everybody, today i noticed something strange in a file MAC information from a disk image i was analyzing.
the thing that i noticed is that for one file (a jpg file) on the hard disk image, the last modification date appears to be prior to the creation date..
wich somehow is weird.
the filesystem is NTFS and the image is genuine the hash matches the original so no problems accured during the acquisition.
how can a thing like that be explained?
thnx in advice.
Is it possible that the pic was modified in another machine and then copy to the machine you image?
Scenario
The original pic was created on Machine A, modified then copy to Machine B.
Therefore the creation date for the pic in Machine B is after the modified date on Machine A.
Blue dragon is correct - it happens on all operating systems
The Modified date is when the file contents were changed
The Creation date is when the file was created on the disk.
It is most common for modified to the same or later than creation, except when a file has been moved between machines.
On a school project I had to examine some images aswell (jpg) and creation data was set on 1609.
The index.dat showed that the image was accessed/visited on a ftp server. Now i'm wondering how this date was set, if you get images from any ftp will creation date always be something like this or has it something to do with internal clock of the ftp server?
It has long been known that the API for modifying file timestamps on Windows systems is open. Given the format of the timestamps (ie, 64-bit FILETIME objects), a value of 0 equates to 1 Jan 1601.
Microsoft maintains information on timestamps given certain actions
http//
Also, keep in mind that Windows systems include the ability to disable updating of last access times on files; this was originally intended as a means for tuning and improving the performance on high-volume file servers, but it has been enabled by default on Vista and beyond.
thnx a lot for the help )