Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: royJfischer
New Today: 1
New Yesterday: 0
Overall: 29307

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Loss internet connection
 Hash calculation between image and original file
 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?

Computer Forensics World Forums


Pages Served
We received
50427497
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - How to determine if File Creation Date is correct
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to determine if File Creation Date is correct

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
bgrazier
Newbie
Newbie


Joined: Jun 07, 2006
Posts: 1

PostPosted: Wed Jun 07, 2006 5:39 pm    Post subject: How to determine if File Creation Date is correct Reply with quote

Is it possible to determine if a file creation date is correct, or at the very least plausible? Clearly one may change their system date/time, create a file on this "incorrect date", and then change their system date/time back afterwards. In this instance the file creation date will be this "incorrect date". However, I am hoping there may be a way to prove whether (and when) such a system date change took place, or determine through FAT analysis that the sequence of FAT entries in which subject file was first saved proves that the file creation date is not plausible (for example, 10 files created on 1/1/06 followed by subject file "created on" 1/1/05, followed by 10 files created on 1/2/06 might sucggest that the actual creation date of subject file was NOT 1/1/05, but rather 1/1/06 or 1/2/06) . Any ideas/suggestions/references/tools would be greatly appreciated. -BG
Back to top
View user's profile
Prickaerts
Newbie
Newbie


Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

PostPosted: Thu Jun 15, 2006 6:53 pm    Post subject: Reply with quote

Hi B,

One of the first things we do is find evidence of (regular) time-sync activity.

Some documents when created/opened .LNK files are created. The timestamps of these files should correspond with the file you are researching (if a corresponding .LNK file is present).

Also, depending on the filetype, it is possible Metadata can shed some light on creation date/time.

It is hard to spot manual time changes. If someone wants to trick a forensic investigator it is certainly possible.

Cheers,

Chris
Back to top
View user's profile Send e-mail Visit poster's website
andy1500mac
Newbie
Newbie


Joined: Aug 20, 2005
Posts: 2

PostPosted: Mon Jun 19, 2006 10:41 am    Post subject: Reply with quote

You might also find some information in the userassist registry key.

If you suspect the person has changed the time using the date and time CPL (either in the control panel or bottom right of taskbar) you can try and correlate the windows 64 bit time stamp for the userassist enter (try using decode.exe from digital detectives) and hope it matches up around the times you think the person may have changed the files.

If for example you change your date from June 2006 to June 2000 and then change it back...from what I have seen the last userassist entery date (timestamp wise) is the June 2000 one. Nothing definitive, and you may want to test this yourself a number of ways as I have just run some basics...

I can't remember if there is a prefetch entry as well (I did a quick time change and nothing showed up) so...

Hope it helps:

Userassist value for date and time(cpl) is: HRZR_EHAPCY:gvzrqngr.pcy
The second eight bytes are your 64 bit time stamp.

All this assuming you are using XP…

Hope it helps.
Back to top
View user's profile
nitinchfi
Newbie
Newbie


Joined: Nov 13, 2005
Posts: 41
Location: INDIA

PostPosted: Tue Jul 31, 2007 3:17 am    Post subject: Reply with quote

andy1500mac wrote:
You might also find some information in the userassist registry key.

If you suspect the person has changed the time using the date and time CPL (either in the control panel or bottom right of taskbar) you can try and correlate the windows 64 bit time stamp for the userassist enter (try using decode.exe from digital detectives) and hope it matches up around the times you think the person may have changed the files.

If for example you change your date from June 2006 to June 2000 and then change it back...from what I have seen the last userassist entery date (timestamp wise) is the June 2000 one. Nothing definitive, and you may want to test this yourself a number of ways as I have just run some basics...

I can't remember if there is a prefetch entry as well (I did a quick time change and nothing showed up) so...

Hope it helps:

Userassist value for date and time(cpl) is: HRZR_EHAPCY:gvzrqngr.pcy
The second eight bytes are your 64 bit time stamp.

All this assuming you are using XP…

Hope it helps.


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}\Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

the keys u will find are encrypted in an old fashion called as ROT13 encryption, which is basically charachter shifting by 13,

Google for more info on ROT13,

also, there are many C and Perl and PHP scripts to get you the decrypted values.

Hope this helps
_________________
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
Back to top
View user's profile
saxon68
Newbie
Newbie


Joined: Feb 15, 2007
Posts: 13

PostPosted: Thu Aug 02, 2007 6:59 am    Post subject: Reply with quote

Also another kinda silly way of checking, but if you have files that are "older" than the ones put on the machine when windows was installed, could that indicate a bit of mucking with the time system?
Back to top
View user's profile
ddow
Newbie
Newbie


Joined: Jul 19, 2006
Posts: 460

PostPosted: Thu Aug 02, 2007 9:35 am    Post subject: Reply with quote

Unless they were zipped on another system at the creation date indicated and then unzipped.
Back to top
View user's profile
RobertR
Newbie
Newbie


Joined: Jun 04, 2007
Posts: 149
Location: Arizona

PostPosted: Tue Aug 07, 2007 6:15 am    Post subject: Time Shifting Reply with quote

Yo could also look to see if there was internet related activity at the same time..... Things like e-mails or web browsing.... look at the e-mail headers and or index.dat entires and the times should be in UTC.... E-mail hops in e-mail headers will always show the time stamp of the MTA when it hits it.... kind of telling when the hops before it hits your client show times that it sent the mail several months or years after your suspect computer received it.
Back to top
View user's profile
slackspace
Newbie
Newbie


Joined: Jun 20, 2006
Posts: 3

PostPosted: Tue Aug 07, 2007 8:16 am    Post subject: Reply with quote

I also look over the .evt logs to see if there are abnormalities as well as the windowsupdate.log. There are too many tracks to cover if they were to change date/times on the machine.
Back to top
View user's profile
next483
Newbie
Newbie


Joined: Nov 30, 2016
Posts: 1

PostPosted: Wed Nov 30, 2016 10:08 pm    Post subject: Reply with quote

Thanks for the useful information! I helped your advice!
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 238

PostPosted: Thu Dec 01, 2016 6:12 am    Post subject: Reply with quote

saxon68 wrote:
Also another kinda silly way of checking, but if you have files that are "older" than the ones put on the machine when windows was installed, could that indicate a bit of mucking with the time system?


It could. But just as files 'created' during a period when a computer was known to be turned off, it is often files that have been installed (or restored) along with their original time stamps. Windows Update does that for example.

Deeper analysis is needed to decide what has actually taken place.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.