Interesting article on examining Time Stamps (defeating Timestomp? Filetime ?), in terms of highlighting differences between SI and FN attributes. In this article a Perl script is refered to (previously written by Harlan Carvey) to output results…
“.. Chronological data about the files on a Windows system are stored in something called the Master File Table or $MFT ..
– snip –
there are two places in the MFT that store this chronological data. One is the $Standard_Information ($S_I) attribute, and the other is the $File_Name ($F_N) attribute ..”
Cepogue, The Digital Standard, 23 February 2011
http://thedigitalstandard.blogspot.com/2011_02_01_archive.html – last access 26 February 2011 – ( Full Article )
February 26, 2011 | Categories: Analysis, Filetime, MFT, Perl, Software, Timestamps | Tags: Computer Forensics, Digital Forensics, MFT, NTFS, perl, timestamps | Comments Off on Time Stamps on NTFS, examination of the MFT
Interesting article by Lance Mueller on Filestamps (NTFS and FAT).
” .. an examiner should be familiar how the time values are stored on NTFS volumes AND the need to examine these dates manually, since many of the common forensic tools do not display the dates with any precision beyond one second, when there is any suspicion of tampering .. ”
Lance Mueller, ForensicKB, 21 January 2011
http://www.forensickb.com/2011/01/fun-and-games-with-windows-filetime-and.html – last access 23 January 2011 – ( Full Article )
January 23, 2011 | Categories: Analysis, Filetime, Timestamps, Timestomp | Tags: Computer Forensics, Digital Forensics, Filetime, MFT, NTFS, Timestomp | Comments Off on Fun and games with Windows FILETIME and how to efficiently detect timestamp alterations