Hi All,
I am currently doing a forensic project, but struggling with the time stamps on the Lost Files
found.
I have found 50 pictures or so, which are vital to the investigation. The problem I have is that
the Last Written date is before the operating system was actual installed
Name pic01.jpg
Signature Analysis Match
Last Accessed / Entry Modified 11/12/09 083726
File Created 11/12/09 083726
Last Written 08/11/09 112838
MD5a003a6d4fe290c9dfec624bc85714357
I was hoping that the files had been introduced through a USB, as I have found the exact files
on the users USB, however the last connected time stamps for the USB's are different to the
file created - no usb was plugged in on 11/12/09.
Is it possible that the last written date, could have been copied with the file? The registry
shows that the PC was installed on 20/11/09.
if anyone could clear up the dates, and what they mean or a link to a resource to help me understand exactly what this information means, I'd be very grateful!
Thanks
Kirby-11
Hi,
I suggest you take a look at event log timeline, and the MACE time attribute of system file like $Boot, $MFT..etc,. It should be the same as OS installed date. As to the time stamp of those pics, you could dump the $MFT entries of those pics to check their time stamp. Actually there are two kinds of time stamp attributes in $MFT. One is standard_info, and the other is filename_info. You could take a look to see what happened to those pics. The Entry modified time is critical. Even you could use tools like "timestomp" to change it, you could not change both time stamp attributes standard_info, and filename_info.
Rick
I am currently doing a forensic project, but struggling with the time stamps on the Lost Files found.
What kind of file system are you looking at?
What tool have you been using to establish a set of 'Lost Files'?
The problem I have is that
the Last Written date is before the operating system was actual installed
Go on. Fill in the blanks. Why do you have a problem with that? What research or other foundation are you using to establish that that is a problem?
Is it possible that the last written date, could have been copied with the file? The registry
shows that the PC was installed on 20/11/09.
Registry … so probably Windows and NTFS. OK.
if anyone could clear up the dates, and what they mean or a link to a resource to help me understand exactly what this information means,
Today I don't feel very much like helping anyone. I can only wonder why you are analyzing timestamps when you don't seem to know anything about them. I hope it's not a real case, but for educational purpose. In which case you should have a teacher or tutor.
Well …
If you want to read one of the basic texts on NTFS timestamps, look for Chow et al. The Rules of Times on NTFS File System. IEEE Second International Workshop on Systematic Approaches to Digital Forensic Engineering, 2007, p. 71-85 (ISBN 0-7695-2808-2). You can find it on the net as a PDF document.
Note I don't say it is definitive – there are much more to learn and much more to research. Nor is it particularly easy reading. But it's a place to start.
(For your first problem, on dates prior to installation date of operating system, you may wish to consider what an installation of a Windows OS on top of an older version does for example, install Windows 7 over an older installation of Windows XP. Or perhaps even a reinstallation of the same OS. Is the OS install date changed? Are time stamps of already existing file modified? Until you know for certain, you cannot draw any conclusions.)
When a file 'appears' on a file system - the OS must put data in all the timestamp slots.
Question is for Last Written, does the OS simply make one up? does it use the current time when the file 'appears'? Does it copy over the timestamp from the filesystem the file is being copied or moved from?
Various scenarios such as this produce different results for the timestamps - you'll need to test the scenarios so that you can discount the ones that don't produce the observed behavior.