Timestamp confusion in Shellbag analysis

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jinux 11 years ago

1 Posts

1 Users

0 Reactions

583 Views

RSS

jinux

(@jinux)

New Member

Joined: 11 years ago

Posts: 1

Topic starter 14/02/2014 11:43 pm

In my recent investigation, I tried to run TZWorks sbag on the hive files extracted from an HDD image, to find the evidence that files were copied from HDD to external USB drive. I did find the similar directory structure on external USB drive in sbag output. But the MAC timestamps of these items really confused me.

Here is one of the directories,
regdate reg-UTC 01/21/2014 163507.224 mdate time-UTC 01/16/2014 074424 adate time-UTC 01/19/2014 062216 cdate time-UTC 01/19/2014 062218 type dir full path Desktop\{CLSID_MyComputer}\D\abc.Archive\xyz\
where the MAC timestamps of directory D\abc.Archive\xyz\ are,
Modified 01/16/2014 074424 Accessed 01/19/2014 062216 Created 01/19/2014 062218
The modified timestamp is exactly the same as the directory, of the same name, on the HDD.

I assume the filesystem of this USB drive is NTFS, since the accessed time is not 120000. According to http//support.microsoft.com/kb/299648, if this directory was copied from HDD to USB drive, all 3 timestamps should be updated. I am confused that, under what kind of scenario, a directory's MAC timestamp could be like this.

Quote

8 Forums
15.7 K Topics
92.3 K Posts
262 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed