Results 1 to 6 of 6

Thread: Vista Timestamps

  1. #1
    All the Certs! 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,230

    Question Vista Timestamps

    I got a call from an investigator doing a Limewire investigation. The Limewire part doesn't matter so much as the OS being Vista. He has files showing the same Date Created and Last Accessed, but a more recent Date Modified. As far as we can tell, the files have not been moved or changed.

    We just need to explain why/how a file can be modified without being accessed.

    Any thoughts?
    Above ground, vertical, and exchanging gasses.
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  2. #2
    Just a thought.. Lot of AV's have an option of keeping original time stamp (accessed because they will access the file to scan it).. I am sure there are software's out there that let you change time stams the way you want..

    I have dealt with a similar case on Vista (enterprise, shouldn’t matter though) and during my course of researching the only way a file will have a newer modified time (or uneven time stamps) is if the file is moved from different machine.

    You can confirm this by checking owner / creator of the file that way at least you can see if it’s by the same user at least.


    Hope this helps.. I'll put in something once i get time to look around.. on my way to home from office..

    The reason i'm focusing on time stamps is becuase they are the weak key here.

    I am sure you can access the file and edit it through live CD without the host OS knowing about it..

    What if the file was changed and time stamps reverted or something..

    EDIT :


    Lot of software's out there to let you change the time stamp of the file to what you want

    http://www.codeproject.com/KB/files/timestamp.aspx

    http://www.lifespy.com/2007/windows-...le-timestamps/



    *I'm, maybe off the point here; for that please forgive me.. LONG WEEKEND AT WORK :x"
    Last edited by ByTeWrangler; July 13th, 2009 at 05:13 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    All the Certs! 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,230
    Thanks for the help, BW!

    Quote Originally Posted by ByTeWrangler View Post
    Just a thought.. Lot of AV's have an option of keeping original time stamp (accessed because they will access the file to scan it).. I am sure there are software's out there that let you change time stams the way you want..
    I think that's probably the case
    I have dealt with a similar case on Vista (enterprise, shouldn’t matter though) and during my course of researching the only way a file will have a newer modified time (or uneven time stamps) is if the file is moved from different machine.

    You can confirm this by checking owner / creator of the file that way at least you can see if it’s by the same user at least.
    Single User
    I am sure you can access the file and edit it through live CD without the host OS knowing about it..

    What if the file was changed and time stamps reverted or something..

    EDIT :


    Lot of software's out there to let you change the time stamp of the file to what you want

    http://www.codeproject.com/KB/files/timestamp.aspx

    http://www.lifespy.com/2007/windows-...le-timestamps/



    *I'm, maybe off the point here; for that please forgive me.. LONG WEEKEND AT WORK :x"
    We're pretty sure is was not done intentionally.
    Above ground, vertical, and exchanging gasses.
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi there BB,

    Please check:

    HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\

    NtfsDisableLastAccessUpdate

    I think it is set to disable by default in Vista? which I believe prevents the last access date being updated. I have heard that it is supposed to improve performance.

    ByTe is quite correct that there are quite a few utilities that allow you to alter file dates, including, I believe, some anti-forensics applications

  5. #5
    All the Certs! 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,230
    Thanks, Nihil... I'll have him check that.

    BTW, we don't talk about anti-forensics applications.

    /shudder
    Above ground, vertical, and exchanging gasses.
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    He has files showing the same Date Created and Last Accessed, but a more recent Date Modified.
    That sounds like the Vista default. It will set the last accessed timestamp when the file is created or if it is copied. I also believe that moving a file will do it in some versions of Windows but I am not sure about Vista.

    The reason I mentioned anti-forensics is that I was thinking of "TimeStomp". However, I would have thought that if a perp knew about that application they would know to make the timestamps plausible and misleading?

Similar Threads

  1. Windows Vista gaming, shooting blanks?
    By acidtone in forum Operating Systems
    Replies: 5
    Last Post: February 14th, 2007, 02:14 PM
  2. Microsoft's new anti-piracy technology...
    By brokencrow in forum Microsoft Security Discussions
    Replies: 31
    Last Post: October 19th, 2006, 05:44 PM
  3. Cracking Windows Vista Beta 2 Local Passwords (SAM and SYSKEY)
    By Irongeek in forum The Security Tutorials Forum
    Replies: 2
    Last Post: September 12th, 2006, 06:17 AM
  4. It's getting closer and closer to upgrade time
    By gore in forum Operating Systems
    Replies: 12
    Last Post: September 10th, 2006, 11:32 PM
  5. Wait a minute... HOW many versions of Vista?
    By gore in forum Operating Systems
    Replies: 20
    Last Post: March 1st, 2006, 04:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •