Join Us!

What is the Modifie...
 
Notifications
Clear all

What is the Modified date telling me...?  

  RSS
4Rensics
(@4rensics)
Active Member

OK, I know this sounds like a troll question, but its not, please hear me out and if possible help me understand why!

I have a CelleBrite download of an iPhone, and its recovered a load of documents. The documents are marked as live, not deleted. However, I only have a 'Modified Date' on them. Which is fine, in theory. However, more of these docs are known and they are quite old and have been going around for a while. But the modified date is recent, only a few months ago.

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Is it a cellebrite issue? Could I almost use it as an accessed date (which would make sense!) (obvs I can't) any ideas much appreciated.

Thanks,
4R

Quote
Posted : 26/10/2017 8:14 am
jaclaz
(@jaclaz)
Community Legend

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Is it a cellebrite issue? Could I almost use it as an accessed date (which would make sense!) (obvs I can't) any ideas much appreciated.

Could it be a restore of a backup (from iCloud or *whatever*)? (or however a "fresh" copy)

Do *all* files on the filesystem have the same (or similar) metadata?

Or this happens only for a subset of them? (like all "documents", or all .pdf's, etc.)

Or only to a subset of .pdf's?

jaclaz

ReplyQuote
Posted : 26/10/2017 8:29 am
4Rensics
(@4rensics)
Active Member

I like the idea of a backup/restore. There is another, older iPhone from this job!

I've delved a little deeper and it appears they are all in a tmp folder for QuickViewPDF. I wonder if its something to do with this viewer? They are not actually downloaded to the handset by the user, but saved by this viewer for reading live, so maybe a created/accessed date is not actually populated since they are not getting "saved" to the handset (albeit in a tmp folder)

Could this modified date be the viewer doing something to the PDF to make it viewable live? (Just a loose theory)

ReplyQuote
Posted : 26/10/2017 9:30 am
Bunnysniper
(@bunnysniper)
Active Member

Could this modified date be the viewer doing something to the PDF to make it viewable live? (Just a loose theory)

Test it! Digital Forensics is a science. Fetch an iphone, install the app in the appropriate version and test it. Once you have the facts, you can present them in court. Any yes, in theory and practive a lot of apps are modifying timestamps.

best regards,
Robin

ReplyQuote
Posted : 26/10/2017 12:47 pm
athulin
(@athulin)
Community Legend

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Most probably because the file (i.e. the file system entity to which the Modified Date information applies) really has changed. But I don't think you can say anything about who or what changed the file contents, or the the time stamp (or whatever else the relevant file system – HFS+? – causes to trigger the time stamp update.)

First Is it unusual to see only Modified Date? Not knowing Cellbrite, I can't be sure, but if you don't see all HFS/HFS+ time stamps, I would suspect something to be wrong. Perhaps in configuration of extracted data, perhaps somewhere else. But you should have an explanation for it.

Next Are resource fork/data fork semantics still used on iOS?

Finally As these apparently were copies of downloaded files per your later posting … can you compare the files you found on the device to their originals?

But that's just me guessing – iOS expertise and possibly Cellebrite is required for this.

ReplyQuote
Posted : 26/10/2017 3:31 pm
athulin
(@athulin)
Community Legend

I've delved a little deeper and it appears they are all in a tmp folder for QuickViewPDF. I wonder if its something to do with this viewer? They are not actually downloaded to the handset by the user, but saved by this viewer for reading live, so maybe a created/accessed date is not actually populated since they are not getting "saved" to the handset (albeit in a tmp folder)

Is that consistent with normal behaviour of iOS or QuickViewPDF? That created/access doesn't get populated because a viewer app wrote them, whereas other apps would cause time stamps to be set.

It sound a bit odd to me, I'm afraid.

However, as the files seem to be cached copies or work copies belonging to a particular app, the question is probably about what that app does when it is used. Does it add attributes at the end of the file 'last page read 12'? Or something like that? If it does, the time stamp is likely to reflect the operation of that app … provided that it can be verified that it actually does do something like that.

Comparing work area copies with originals (perhaps found elsewhere on the device) seems to be highly desirable.

ReplyQuote
Posted : 26/10/2017 3:39 pm
Share: