MAC TimesModification (mtime)

When the file contents were CHANGED Change = addition or deletion or change of any single

BYTE/Character… even if it doesn’t change to meaning of a file For example: adding a single extra space to a term paper, it

still reads the same, however has been altered

Access (atime)The time the file was last “touched”, even if not

changedCreation (ctime)

The timestamp of a file’s creation on a “volume” (disk)

TimestampsOperating system dependentEx:

Windows bases a timestamp on elapsed time since Jan 01, 1601 Midnight

Time elapsed in nanoseconds (billionths of a second)

MACs timestamps require a different “algorithm” (formula) for conversion to calendar date/time

GranularityRefers to the “precision” of our time

how small a window of time (day/hour/minute/second)Dependent on Operating SystemDependent on File System

Windows XP Can use NTFS file system to record files on the disk Can us FAT32 to record files on the disk

FAT32 typically used for removable media, such as USB or Flash Cards (such as in cameras)

Forensic software (or the analyst) needs to know the systems involved in order to interpret the time properly

Atime can be precise to the *date*, but perhaps not a time of day

Ctime can note the actual time and date down to 2/100’s of a second (depending on Operating System)

DiscrepanciesFile’s ctime occurs *after* the atime or mtime

Possible if: Somebody played with the timestamps The file was moved/copied to another “volume” (disk)

It’s “created” on that new disk at that date/time, but OS and File System might retain the original atime and mtime

Windows VistaDefault indicates that the update of the atime is

turned off by default Not necessarily intentional on the part of the user to

hide the time details!

DiscrepanciesExamination of the contents of a file might indicate

that the file was not created or modified when the timestamp claims it wasContent of the document list a date or time indicating a

creation prior to the “external” time Might indicate an effort to hide or “forge” the time of a file

Is the date or time inside the file itself a result of the user’s effort (he or she typed it), or did the software package being used insert it?

Remember:Timestamps are based on the computer’s system time

If the system time if “off”, the file timestamps will also be “off” in relation to real time

Do timezone differences come into play?Do we need to consider Daylight Savings Time?

Not for the CSI Challenge!!!

CSI ChallengeThe assumption is that any obvious time

discrepancy is an effort on the part of a investigation’s subject to hide or obfuscate details

NOTE:You will receive a note in your packet (along with

the investigator’s CD) which outlines how you should view times in terms of evaluating your investigation For example, you might be directed to specifically

ignore certain timestamps only Do not ignore, unless specifically directed to do so!!!