How much do timestamps matter?

[ali.emirlioglu at gmail.com (Ali Emirlioglu)]

We had this discussion at the sans forensics course a couple of months ago.
The conclusion was that programs like timestomp have been around for a long
time but most people lack the knowledge to use such programs...and if they
use it, most don't know how to use it properly giving away the fact that
they've used it which could be used against them anyway :P

I don't do this for a living (yet) but so far every forensics professional
I've come across agrees that timestamps are still important as they can be
extracted and used in the majority of cases.

Just my $0.02

On Wed, Aug 12, 2009 at 9:44 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

> As the subject states, how much do file time stamp matter to a forensics
> case? If some one finds my collection of "Nazi albino midget Eskimo" porn,
> does it really mater what the date is? I see timestomp (let me know if there
> are better tools) lets you change the MACE times of a file in Windows to
> whatever you want, but if you use the -r option to set the time stamp to the
> 17th century that's obviously bogus, and setting it far in the future is
> little good either as far as I can tell. Having a scheduled job of some kind
> that sets the times a few day later than the current time may be useful, so
> that when the box is acquired time stamps show files that have changed since
> the seizure. In a court case, how important are time stamps? Anyone reaally
> do this for a living that can give me insight?
>
> Thanks,
> Adrian
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090812/7b8b1ce5/attachment.htm