Notifications
Clear all

Windows Timestamps  

  RSS
shakes
(@shakes)
New Member

I have done some "Google" research and still continuing to do "Google" research on understanding how timestamps work on the different Windows Files Systems. I figured I would make a post just to see if someone could point me in the right direction or has found documentation about this topic already.

What I'm trying to understand

Depending on the action a user does to a file, what effects will it have on the MACB (Modify, Access, Created, and Born) timestamps. For example a word document,

*Creating a word document by right-clicking, going to new, Microsoft word document vs opening Microsoft word and saving it.

*Copying or cutting a document within the same Volume.

*Copying or cutting a document within a different Volume.

*renaming that document

*Opening without changing anything within that document

*Opening and changing something in that document.

*deleting that document.

*ect..

Please correct me if I'm wrong but the MACB timestamp behavior is going to depend on the File System so FAT, exFAT, and NTFS are all going to record these actions differently? Also would FAT12 vs FAT16 vs FAT32 have different MACB timestamp behaviors to or do they all work the same?

I know I could just test them all but I don't have the resource to do so. I also figured there are probably other factors that I having considered or even know about, so I'm hoping someone could point me in the right direction so I can farther educate myself on this topic.

Any suggestions would be greatly appreciated

thank you,

Steve

Quote
Posted : 08/03/2014 9:11 am
Igor_Michailov
(@igor_michailov)
Senior Member

Did you read the book File System Forensic Analysis by Brian Carrier?
I think, This book contains answers to your questions.

ReplyQuote
Posted : 08/03/2014 10:41 am
twjolson
(@twjolson)
Active Member

File system forensics,as mentioned before. Also, look at some whitepapers by SANS.

But, I take issue with what you say, " know I could just test them all but I don't have the resource to do so."

The hell you don't. You have a computer, yes? Do you have a thumbdrive? Format it as FAT. Do the various actions you are asking about, and see what happens.

The reason I take issue is that digital forensics is not a learning discipline. You can't just read a book and be a digital investigator. It is a research discipline. You can read every book and whitepaper published, and every exam, you are going to find something new. What do you do? You can't come running to the forensic community every time. Then what is the point of you? No, you have to research and test. YOU are the one that discovers new things. YOU are the one that expands our field of knowledge.

Think about it. Sure, you can just sit back, and let someone tell you the answer to these questions. But, what if you do the test, and what if you see something that no one has seen before? You are missing the chance to not only learn the most valuable skill in our field (research), but you could be robbing the digital forensics community from a potentially valuable new find. Sure, to you it might be something interesting, but down the road it could mean everything to a case.

Bottom line, if you can do the research and testing for yourself, do it.

Terry

ReplyQuote
Posted : 08/03/2014 12:05 pm
athulin
(@athulin)
Community Legend

I figured I would make a post just to see if someone could point me in the right direction or has found documentation about this topic already.

Carrier's book on File System Forensics, already mentioned, is required reading. You'll find much of what you ask about there. At the same time, it should not be read uncritically. Things have changed, and new things have been noted since the book was published (2005) – unfortunately, not all of them have been investigated at a level that could be called satisfactory.

Depending on the action a user does to a file, what effects will it have on the MACB (Modify, Access, Created, and Born) timestamps. For example a word document,

In a perfect world, someone would, of course, have formulated how that question is best answered, created a test battery, performed the tests for all significant revisions of the relevant file systems, at all levels of usage, and published them.

This is, however, not a perfect world.

Some, perhaps many of the questions you ask have been answered in a paper by Chow et al. The Rules of Time on NTFS File System, presented at SADFE 2007, 2nd Intl. Workshop on Systematic Approaches to Digital Forensic Engineering, 2007, and published in the proceedings from that workshop. You can find the paper on line if you google for the title. (Other, related papers, typically cite that paper, so you can usually find related stuff by checking citation indexes – if you have access to them. Academic libraries almost always do, but public libraries may not have them.)

Please correct me if I'm wrong but the MACB timestamp behavior is going to depend on the File System so FAT, exFAT, and NTFS are all going to record these actions differently?

It is best to assume so. The 'file system', i.e. the software module that does all this time stamping on some particular operating system platform will normally be different for different file systems.

However, as time stamping can usually be done by normal system calls, other software modules may add timestamping behaviour on top of that of the basic file system. In Windows, for example, Windows Shell adds such modification. Windows Shell is behind much of the GUI experience of Windows.

Also would FAT12 vs FAT16 vs FAT32 have different MACB timestamp behaviors to or do they all work the same?

FATx is usually regarded as one file system with three different on-disk storage formats.

I know I could just test them all but I don't have the resource to do so. I also figured there are probably other factors that I having considered or even know about, …

Most forensic analysts don't have the time, or can't take the time, for such investigations. Time is money, and usually there's another job in the queue that gets precedence.

That's one reason why Carrier's book is so highly regarded.

ReplyQuote
Posted : 08/03/2014 12:35 pm
jaclaz
(@jaclaz)
Community Legend

Also, and NOT what you asked 😯 , since you made an example with a word document, do check this
http//www.forensicfocus.com/Forums/viewtopic/t=10627/
particularly corey_h's "cheatsheets"
http//www.forensicfocus.com/Forums/viewtopic/p=6567238/#6567238

jaclaz

ReplyQuote
Posted : 08/03/2014 3:37 pm
alangille
(@alangille)
New Member

Testing is always the required element if the date and time stamp is important to an examination. This, however, is a great reference to keeps available

http//digital-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties

Al

ReplyQuote
Posted : 10/03/2014 3:08 pm
athulin
(@athulin)
Community Legend

This, however, is a great reference to keeps available …

That is one of those that I judge unsatisfactory.

1. What do the results apply to? All types of $MFT entries, or only some of them? Only files? Directories?

2. What exactly do the results refer to? Is a File Rename an invocation of the MoveFile() system call? Or of a command at a DOS or PowerShell prompt? Or one or more of the several ways that Windows GUI allows file names to be modified? And what does File Copy refer to – the original object or the copy?

3. And how do I (or anyone else) repeat the tests to verify that the results are correct, or to extend them to other versions of Windows? For example, how was the test platform configured to ensure that only the tester's actions are reflected in the results? Or, how was the testing methodology devised to do the same? As well as remove any so-called 'personal equation' variations, i.e. reliance on how one person tends to perform a particular operation?

It might be used as a starting point (i.e. I can't criticize it as a blog entry) – but it does not seem to be a place to stay (i.e., used as a reference it leaves much to wish for).

The Rules of Time on NTFS does at least try to address some of these questions.

ReplyQuote
Posted : 10/03/2014 7:07 pm
shakes6791
(@shakes6791)
New Member

Did you read the book File System Forensic Analysis by Brian Carrier?
I think, This book contains answers to your questions.

Igor_Michailov thank you for your replay. As soon as I saw your post I was like duh. It has been a couple of semesters since I read it, I can't believe I forgot about that book. Thanks again for your replay.

Terry thank you so much for your feed back. It is one-hundred percent my fault do to the wording of my post and not understand fully what I wanted to ask before I posted it.

The hell you don't. You have a computer, yes? Do you have a thumbdrive? Format it as FAT. Do the various actions you are asking about, and see what happens. -Terry

I have done this exercise before in the beginning of my college career but at the time I really didn't understand the importance of that activity. Now that I am in a class doing nothing but report writing and cases re-doing this exercise will mean a lot more to me since there is a more practical element instead of talking about it abstractly in a class room. I really don't know why I didn't think of this before I posted this but thank you for mentioning it.

I know I could just test them all but I don't have the resource to do so. -Me

I would like to clarify this statement. What I was thinking was the different O.S and their effect on timestamps. If I am running the same file system on different operating systems will that have an effect on the timestamp behavior. Does operating system have an effect on how the file system creates timestamps?

What do you do? You can't come running to the forensic community every time. Then what is the point of you? No, you have to research and test. YOU are the one that discovers new things. YOU are the one that expands our field of knowledge.

Think about it. Sure, you can just sit back, and let someone tell you the answer to these questions. -Terry

I'm sorry If my post sounded like I was asking for an answer. I really didn't want it to sound that way. I was looking for resources such as whitepapers and books so I can better understand what is out there and more importantly I was looking for ideas and perspectives. like this,

But, what if you do the test, and what if you see something that no one has seen before? You are missing the chance to not only learn the most valuable skill in our field (research), but you could be robbing the digital forensics community from a potentially valuable new find. Sure, to you it might be something interesting, but down the road it could mean everything to a case. -Terry

I can't thank you enough for this. I love it when people give their perspective especially when them perspective get me thinking. I have learned a lot from this paragraph and a new way of looking at forensics.

Some, perhaps many of the questions you ask have been answered in a paper by Chow et al. The Rules of Time on NTFS File System, presented at SADFE 2007, 2nd Intl. Workshop on Systematic Approaches to Digital Forensic Engineering, 2007, and published in the proceedings from that workshop. You can find the paper on line if you google for the title -athulin

Thank you Athulin for the suggesting them but sadly I have not gotten the chances to look at them yet and After I post this I am going to print them out and give them a read. I'm sure they are filled with tons of information and I can't wait to read them. I also thank you for your other comments and I will try to learn and take as much as i can from them.

Also, and NOT what you asked Shocked , since you made an example with a word document, do check this
www.forensicfocus.com/...c/t=10627/
-jaclaz

It is not what I asked but I love learning about as much as I can. I had the change to look at the first link and I thank you. This information is very useful, I can't wait to check out the second one.

Testing is always the required element if the date and time stamp is important to an examination. This, however, is a great reference to keeps available

digital-forensics.sans…properties
-Al

This is very useful thank you.

I want to thank everyone for taking their time out to respond to my question. It is greatly appreciated and I will definitely pay it forward.

ReplyQuote
Posted : 10/03/2014 7:42 pm
Share: