How much do timestamps matter?

[pj_mcgarvey at hotmail.com (PJ McGarvey)]

I agree, I'd say as a forensics examiner (which I am not) if you suspect the timestamps have been altered, then you're 
next bet might be to prove that timestomp, or other was used on the system.  Obviously the timestamps at that point are 
useless, but at least they can't be used "against" your case.

 

Now if I wanted to modify timestamps to hide myself, I would probably generate some completely random dates for a bunch 
of files, or at least modify the timestamp to coincide with some other event not related to what you're doing on the 
system, and try to throw the investigator off your trail.

 

PJ
 


Date: Wed, 12 Aug 2009 11:52:11 +1000
From: ali.emirlioglu at gmail.com
To: pauldotcom at mail.pauldotcom.com
Subject: Re: [Pauldotcom] How much do timestamps matter?

We had this discussion at the sans forensics course a couple of months ago. The conclusion was that programs like 
timestomp have been around for a long time but most people lack the knowledge to use such programs...and if they use 
it, most don't know how to use it properly giving away the fact that they've used it which could be used against them 
anyway :P

I don't do this for a living (yet) but so far every forensics professional I've come across agrees that timestamps are 
still important as they can be extracted and used in the majority of cases. 

Just my $0.02


On Wed, Aug 12, 2009 at 9:44 AM, Adrian Crenshaw <irongeek at irongeek.com> wrote:

As the subject states, how much do file time stamp matter to a forensics case? If some one finds my collection of "Nazi 
albino midget Eskimo" porn, does it really mater what the date is? I see timestomp (let me know if there are better 
tools) lets you change the MACE times of a file in Windows to whatever you want, but if you use the -r option to set 
the time stamp to the 17th century that's obviously bogus, and setting it far in the future is little good either as 
far as I can tell. Having a scheduled job of some kind that sets the times a few day later than the current time may be 
useful, so that when the box is acquired time stamps show files that have changed since the seizure. In a court case, 
how important are time stamps? Anyone reaally do this for a living that can give me insight?

Thanks,
Adrian

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090812/2dbeaf5f/attachment.htm