Saturday, July 4, 2009

Vista Timestamps

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:
  • Correlate events from different sources.
  • Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.

The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • Value Name: NtfsDisableLastAccessUpdate
  • Data Type: REG_DWORD (DWORD Value)
  • Value Data: set 1 to prevent the Last Access time stamp updates.
This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing and in most circumstances modifying the file would leave 'Acessed Time' unchanged. It will only change when you copy the file or move it to another volume.

Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.