PaulDotCom mailing list archives
How much do timestamps matter?
From: dkovar at gmail.com (David Kovar)
Date: Wed, 12 Aug 2009 11:50:29 -0400
Greetings, Timestamps are one clue to a subject's activity but are rarely the smoking gun, for many reasons. They can be intentionally modified, various automated processes can update them, the system's clock may be off (intentionally or accidentally), various actions may not preserve them, .... Used in conjunction with other information, file system or metadata timestamps can be very useful. If the physical security log at the front desk shows the subject entering the building 15 minutes before they log on to the domain server and then the prefetch shows Limewire running right after that, leading to files being created shortly after that .... -David On Wed, Aug 12, 2009 at 3:14 AM, Jim Halfpenny<jim.halfpenny at gmail.com> wrote:
Timestamps may matter a lot if you refute your role in download such niche bedtime reading. The old, "A virus must have downloaded it," might have less credibillity if timestamps show the files to have been created over a considerable period of time. Remember that evidence in isolation may seem meaningless. If for example you have coroborating evidence from browser history, logs or ISP records timestamps might provide strong evidence. Jim On 12/08/2009, Grymoire <pauldotcom at grymoire.com> wrote:As the subject states, how much do file time stamp matter to a forensics case? If some one finds my collection of "Nazi albino midget Eskimo" porn, does it really mater what the date is?I'm not a forensic expert, but as I understand it, Timestamps help paint an accurate recreation of events. An expert describes a series of events, such as entries in the log file, access times, modifications times, etc, registry entries, etc. Some experts say that you can usually re-create an event even if someone tries to hide their traces (i,e, modify timestamps). I think a lot depends on the OS and logging capability. And if the log is stored on a centralized log server, hiding traces are more difficult. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Sent from my mobile device _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- How much do timestamps matter? Grymoire (Aug 11)
- How much do timestamps matter? Dimitrios Kapsalis (Aug 11)
- How much do timestamps matter? Jim Halfpenny (Aug 12)
- How much do timestamps matter? David Kovar (Aug 12)
- How much do timestamps matter? Nicholas B. (Aug 12)
- How much do timestamps matter? Joel Folkerts (Aug 13)
- How much do timestamps matter? Ken Pryor (Aug 13)
- How much do timestamps matter? Adrian Crenshaw (Aug 14)
- How much do timestamps matter? Chris Merkel (Aug 14)
- How much do timestamps matter? David Kovar (Aug 12)