In-Reply-To: <043401c50467$f6c38b00$6701010a@JASEVO>
The computer on which the files were placed was runnning Windows 98. Per your
recommendation to test my theory, I dug out an old copy of Windows 98 and
created a destination computer. When I put files on there from a Windows 2000
computer (the source computer), the modifed/creation times were that of the
destination computer. I booted up another computer to run Windows 98. When
that computer placed files on the destination computer, the two times were that
of the source computer!
[That leaves me with a thought that there is probably some combination where
the creation time may come from the destination computer and the modified time
from the source computer]
In both cases, the modified time was 2 seconds after the creation time, as
would be normally expected. That would take into account the network delays.
So it appears that the -2 seconds difference on the files in question is not
explained by the network.
Ken
What you ought to do is test your theory. Set the time on a workstation
with shares to a time slightly behind the time on a machine that is
connected to that share. Then create and save a file and see what it
does.
Depending how big a deal this investigation is, you might be better off
going through that process anyway just so that you can testify to
verifying your information. Whether you need to explain it to a jury or
just a manager or HR people, the more knowledgeable you are about an
issue the better. Or, the theory could be wrong....you want to know
that too!!
-----Original Message-----
From: K Pugh [mailto:kpughmisc@pughkilleen.com]
Sent: Thursday, January 27, 2005 1:17 AM
To: forensics@securityfocus.com
Subject: mactimes - a network question
In-Reply-To:
<1169300920-1100204291-cardhu_blackberry.rim.net-11901-@engine67>
I've got a question related to the mactimes discussion. I have searched
the web for an answer to this question, but I have not found anything.
I have a set of files on a hard drive that was produced from a forensic
image (from EnCase I believe).
In examining these files, the Modified Time is between 2 and 4 seconds
before the Created Time. Other files on the system appear to be normal.
By normal, I mean Modified Times after Creation Times or Creation Times
well after Modified Times, which is an indication of copying from
somewhere else.
Since Windows sets the Created Time when a file is copied, then these
files would have had to been copied within 2 to 8 seconds after they
were created. This does not seem to make any sense in terms of what the
user was doing at that time on the system.
Is this difference an artifact of the way EnCase creates a copy?
The computer in which the hard drive was located was on a network.
There is suspicion that the files were placed on this drive by another
drive on the network. If another computer placed these files there,
would either the Modified Time or Creation Time be relative to the other
computer. Or are the times relative to the computer on which they
reside?
Thanks.
Ken
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
