How Time/Date Stamps can Assist in Proving the Provenance of a File
An operating system normally maintains information about a file that includes a time/date stamp.
The time/date stamp can record the point that a file had been created, altered and accessed and is generated by the computer’s system clock.
By investigating the time/date stamp attribute associated to a file it is possible to complete an audit of it’s history.
For example, when the file is originally created on a system, the ‘file created’ time/date stamp is altered. The ‘last written’ time/date stamp of the file can provide evidence as to the length of time the file took to be fully stored to the drive which can provide evidence of the source of it.
For example, if the file was copied from one local device to another then the file would not take long to transfer and the file created and last written time/date stamps would be relatively close together. However, if the file was downloaded from the Internet then there is likely to be a bigger difference between the ‘file created’ and ‘last written’ time/date stamps.
If a file is moved from one volume to another then the ‘last written’ time/date stamp can be retained or altered, depending upon the method that the file had been transferred and, depending upon the type of file system that it had been originally transferred from.
When a file is downloaded from the Internet, the time/date stamps behave differently to a file moved from one local device to another and the ‘last written’ date is reset and records the point of download.
Up until Windows Vista, the ‘Last Accessed’ time/date stamp of a file were altered when it was accessed. This access could be through a user manually opening the file or by an automated process, such as a virus scan, accessing the file to assess the content of it.
From Windows Vista onwards, by default, the ‘last accessed’ time/date stamp of a file is not altered by any ‘access’ either manual or automatic. Therefore, the operating system present on the device can affect the behaviour of time/date stamps of a file when different actions occur with it.
There are also exceptions to the standard behaviours of time/date stamps where other different scenarios can change whether an attribute is altered or not.
As an example, when the content of a Zip archive file is exported, the content of the file are added to the device with the original time/date stamp retained which can mean that the creation date displayed is not the actual point that a file was originally stored.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.