Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: mactimes

from [Jason Coombs] Network Security [Permanent Link]
Subject: Re: mactimes
Date: Thu, 11 Nov 2004 20:14:58 +0000 GMT 
Any number of programs that copy files will consider the new file to be 
different from the old file, and reset the creation date/time.

EnCase does that when you do a copy from a forensic image. The idea (remember, 
all software is just a bunch of ideas that passed through the heads of 
programmers) is that the forensic analyst understands the value of having a 
date/time stamp that shows the file copy action. Because Last Accessed is not 
strictly true in the case in point, that is, the file's contents weren't 
'accessed' they were 'copied' or 'restored' from an image of a drive, 
presumably some programmer thought 'hey, the creation time should be updated 
here'

I've seen CD burning software, and copies from CD, produce the same end result.

Regards,

Jason Coombs
jasonc@science.org

-----Original Message-----
From: "Potter, Timothy" <Timothy.F.Potter@pjc.com>
Date: Wed, 10 Nov 2004 10:29:38 
To:forensics@securityfocus.com
Subject: mactimes

If mactimes can easily be modified by a hacker, then would I know, and how
would mactimes be utilized in court?

I have a Microsoft Excel file on a fat12 floppy disk.
Here are the mactimes:

modified: 9/28/2004 @ 9:12AM CST
accessed: 9/29/2004 @ 4:38PM CST
created: 10/1/2004 @ 1:12 AM

So, how can the created time be later than the last modified time?? This
doesn't help in establishing a clear timeline of events.. Thanks, -Tim



Guides for the journey. Piper Jaffray & Co. Since 1895. Member SIPC and NYSE.
Learn more at piperjaffray.com. Piper Jaffray corporate headquarters is located 
at 800 Nicollet Mall, Minneapolis, MN 55402

Piper Jaffray outgoing and incoming e-mail is electronically archived and 
recorded and is subject to review, monitoring and/or disclosure to someone 
other than the recipient. This e-mail may be considered an advertisement or 
solicitation for purposes of regulation of commercial electronic mail messages. 
If you do not wish to receive  commercial e-mail communications  from Piper 
Jaffray, click here to request to unsubscribe. mailto:can-spam@pjc.com


For additional disclosure information see 
http://www.piperjaffray.com/info2.aspx?id=298


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: mactimes, Bénoni MARTIN
Next by Date:  Re: MD5 Collisions and Evidence Integrity, Valdis . Kletnieks
Previous by Thread:  RE: mactimes, Bénoni MARTIN
Next by Thread:  Re: mactimes, Matthew Farrenkopf
Indexes:  [Date] [Thread] [Top] [All Lists]