Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Forensic Copy of Files off a CD...

from [Brian May] Network Security [Permanent Link]
Subject: RE: Forensic Copy of Files off a CD...
Date: Mon, 27 Sep 2004 17:32:20 -0700 
-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
Sent: Monday, September 27, 2004 10:39 AM
To: Brian May
Cc: forensics@securityfocus.com
Subject: Re: Forensic Copy of Files off a CD... 

On Fri, 24 Sep 2004 17:31:19 PDT, Brian May said:

I've noticed that when files are cloned off of a CD, the Date Last
Accessed is empty, so when the file is copied to the harddrive,
the Date Last Accessed gets set to the system time.  Out of 
curiosity, how would you handle this?  I've tried to set the 
dates of the file to null or empty, but that fails.  I've tossed
around the idea of just setting the last access date to the date
last modified or created date (whichever is newer).  Thanks in
advance...


"system time" seems as reasonable as anything - while it's on 
the CD, it of course *cant* update the 'last access' time.  
And when you copy it to a hard drive, the 'last access' to 
*THAT* copy is, of course, the write access done
by the copy (at least until you look at it...)

As far as forensics go, pretending that you know *anything* 
about the last access time of a file on a CD would be deceitful
at best - so it's probably *best* that you don't even pretend 
to do a 'fixup' of that field.  If that field is set
to "the time you were doing forensics", then you *know* it's 
a bogus datum as far as forensics go - if you fix up the time
to "3 months, 17 days ago" because that's the "last modified"
date, you're looking at setting yourself up to make errors...


Which is one reason why I asked the question to the list, I'd
rather not taint the data.  I'm still learning the art of forensics
and keeping data forensically sound.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Forensic Copy of Files off a CD..., James Washer
Next by Date:  Re: Forensic Copy of Files off a CD..., KC Ferguson
Previous by Thread:  Re: Forensic Copy of Files off a CD..., Barrie Dempster
Next by Thread:  Re: Forensic Copy of Files off a CD..., Jason Coombs
Indexes:  [Date] [Thread] [Top] [All Lists]