How much do timestamps matter?

[joel.folkerts at gmail.com (Joel Folkerts)]

In addition to Adrian's point, realize that timestamps may not be able to
paint the entire picture for events that took place long ago since they only
record the *last* event. I realize this is an obvious statement but it seems
to trip up new forensic examiners when they are conducting a time line
analysis.

-Joel



"The path to hell is paved with good intentions."


On Tue, Aug 11, 2009 at 8:52 PM, Ali Emirlioglu <ali.emirlioglu at gmail.com>wrote:

> We had this discussion at the sans forensics course a couple of months ago.
> The conclusion was that programs like timestomp have been around for a long
> time but most people lack the knowledge to use such programs...and if they
> use it, most don't know how to use it properly giving away the fact that
> they've used it which could be used against them anyway :P
>
> I don't do this for a living (yet) but so far every forensics professional
> I've come across agrees that timestamps are still important as they can be
> extracted and used in the majority of cases.
>
> Just my $0.02
>
> On Wed, Aug 12, 2009 at 9:44 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
>
> > As the subject states, how much do file time stamp matter to a forensics
> > case? If some one finds my collection of "Nazi albino midget Eskimo" porn,
> > does it really mater what the date is? I see timestomp (let me know if there
> > are better tools) lets you change the MACE times of a file in Windows to
> > whatever you want, but if you use the -r option to set the time stamp to the
> > 17th century that's obviously bogus, and setting it far in the future is
> > little good either as far as I can tell. Having a scheduled job of some kind
> > that sets the times a few day later than the current time may be useful, so
> > that when the box is acquired time stamps show files that have changed since
> > the seizure. In a court case, how important are time stamps? Anyone reaally
> > do this for a living that can give me insight?
> >
> > Thanks,
> > Adrian
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090812/3de12d3e/attachment.htm