Audio File Creation...
 
Notifications
Clear all

Audio File Creation Date is wrong  

  RSS
artshocx
(@artshocx)
New Member

i subpoenaed and received an audio file of a recorded hearing, however the creation date has changed. these folks should know better. i know they keep all active original audio files and must maintain them for a specified time period etc. and the subpoena specifies original, uncompressed, unaltered file, etc. has anyone run into this? i'm sure that it was simply ignorance, but i'm not sure what to tell them to do to keep that information in tact? in my experience, simply dragging the file onto a CD-RW wouldn't necessarily change a creation date, but i am not an expert on whether that might not be true of some burners, etc. it seems likely that they converted the original to mp3 and that's why the date changed. does anyone know? is there some standard that audio forensics follow to ensure chain of custody, at least as much as humanly possible? thanks.

Quote
Posted : 24/09/2012 9:38 pm
jhup
 jhup
(@jhup)
Community Legend

is this a third party that is not direct party, other than providing the audio, to the case?

ReplyQuote
Posted : 24/09/2012 10:59 pm
artshocx
(@artshocx)
New Member

is this a third party that is not direct party, other than providing the audio, to the case?

hello and thanks for your response. The party that provided the file, is the agency responsible for holding the hearing and recording the original file. as i said, i think they probably just didn't know. i'm just figuring out how to best explain to them a procedure that will protect the create date. it is my understanding that simply copying a file from one place to the next shouldn't do this, but they burned the file to a disk and i think that might be the issue. i believe if they knew how they probably would attempt to comply maybe, but i don't know what to tell them. thanks.

ReplyQuote
Posted : 24/09/2012 11:49 pm
artshocx
(@artshocx)
New Member

Does anyone know how to do this on a PC? i work on a mac, so i do not have a PC to test this one. would it work if they zipped the file and then burned it? thanks.

ReplyQuote
Posted : 26/09/2012 10:04 pm
mscotgrove
(@mscotgrove)
Senior Member

Often by looking at the CD (start at sector 0x10) it is possible to have a good guess at the application that wrote the CD. You can then try and emulate the process and see what happens

ReplyQuote
Posted : 26/09/2012 10:54 pm
artshocx
(@artshocx)
New Member

thanks, but at this point i'm just trying to explain to a client who is using a PC how to get me the file in a way that doesn't change that date and protects the integrity of the evidence. do you think zipping the file inside a folder might do it? thanks.

ReplyQuote
Posted : 26/09/2012 11:19 pm
mscotgrove
(@mscotgrove)
Senior Member

Zip might well help

Can your 'customer' give you the hash value of the file - this will prove that no content has or has not been changed.

What does the customer think the date and time is. Some programs (eg Wordpad I think) can change date and time just by opening the file for viewing. It is possible the date and time were 'corrupted' before the CD was burnt

ReplyQuote
Posted : 26/09/2012 11:29 pm
artshocx
(@artshocx)
New Member

unfortunately, the client isn't that tech savvy, which is why they messed it up in the first place. the file is an audio recording of a hearing and they are the officiating agency so they are going to have learn. they have only just begun providing the audio files, for years they were providing transcripts, so… anyway, i was hoping for something as idiot proof as possible, which is why i asked about zipping, i think i could talk them through winzip LOL. thanks.

ReplyQuote
Posted : 26/09/2012 11:41 pm
mscotgrove
(@mscotgrove)
Senior Member

Before you talk them through anything, check what the date of the file on their system is.

Winzip can only preserve what is currnetly there, and not what might have been.

ReplyQuote
Posted : 27/09/2012 1:02 am
eyez0n
(@eyez0n)
Junior Member

Do you know what the original format of the file was as stored on their system? Does it match the format provided to you?

From my experience, some government agencies utilize commercial recording systems that store files in proprietary format and to provide a recording to a requester, they have to export to a commonly used format (e.g., mp3). Doing so would obviously result in an .mp3 file with a creation date after that of the original.

ReplyQuote
Posted : 27/09/2012 1:15 am
erowe
(@erowe)
Active Member

Sending them a copy of FTK imager and walking them through it on the phone might work. FTK imager is pretty intuitive so with any luck they won't have problems following directions. That way you'll get the right time stamps as well as a hash. (Also next time they will know how to do it with any luck.)

ReplyQuote
Posted : 27/09/2012 8:09 pm
Share: