- Dan Mares
"What time is it?
"What time is it?"
Most people would have a single answer to this question. But a computer forensics examiner might have a few.
PST, EDT, CST, GMT, ZULU. Modified/Write, Access, Create, Record/Entry Modified. Do these mean anything to you?
For an investigator dealing with computer evidence, how important is the time (clock) setting on the suspect computer? How important is/are file times related to your evidence?
It might make or break any case that relies on placing the suspect at his computer at a specific time.
Take for example a case where you used a forensic suite to make an image of the drive. Then you identified file evidence and extracted evidentiary files for additional analysis, or presentation to legal or civil processes. Or in a corporate environment, you simply sit down at a subject computer, identify suspicious file(s) and copy them to your work medium. So far so good. Yes/NO/Maybe?
This suspect data might be: network log data, intrusion data, virus files, other captured network data. Or you are working a case where the evidence might be contained in a file on the suspect computer such as stolen proprietary (keys to the kingdom) data, kitty porn, an altered or stolen document. AND, you “carefully” and “forensically” copy or extract that file to your work drive. Really?
Again, let’s assume at this point, this data is ”carefully” extracted to your work medium thru the use of a forensic suite or a file copy operation. There are many instances where you might be copying, manipulating, analyzing a file which is, or contains evidence. You get the idea (I hope).
Now, let’s get to the timing of things. Here are two websites where you might find definitions of the file times.
https://docs.microsoft.com/en-us/windows/desktop/sysinfo/file-times Microsoft filetimes defined. https://cyberforensicator.com/2018/03/25/windows-10-time-rules Time stamps defined has a really good article and color "graph" explaining timestamps. Which totally confused me.
The main subject of file time(s) is too complicated for this discussion. There are really eight(8) timestamps maintained by Windows. But we will only discuss three here. The three that are usually and more easily seen and identified within a normal examination. They are: Modified/Written, Created, Last Accessed time stamps. Otherwise known as the MAC times.
As best as I have been able to determine, here are some laypersons (that’s the last time I will be politically correct) definitions of the three.
"Creation Time" (the ‘C’ in MAC time), is usually the time the file was created on that/this medium. More specifically, it is the time when the file was first created or written to the disk in its current location. Note, then, that if the file was copied from another source, "creation time" would be the time the file was copied to this location, rather than the time it was first created possibly years ago in a different folder. (Microsoft documentation roughly defines this as: the time the file was created.)
"Last Write/Modification time" (The ‘M’ in MAC time) may take on many different meanings. Practically speaking, it means when a program last made any changes to the file. Even though Microsoft defines it as last write time, if you consider this to be the last modification time, all the behavior of the operating system relative to this time stamp seems to be correct. Last modification would occur when you re-opened the document, edited it in some way, and wrote the result back to the disk. Or when you “wrote” it to a new location. This is the time Explorer and DIR show you. (Microsoft defines this as: the time that the file was last written to.)
“Last Access Time”: (The "A" in MAC time) Defined by Microsoft: as Last Access Time
Each file and folder on an NTFS volume contains an attribute called Last Access Time. This attribute shows when the file or folder was last accessed, such as when a user performs a folder listing, adds files to a folder, reads a file, or makes changes to a file. The most up-to-date Last Access Time is always stored in memory and is eventually (sometime) written to disk within two places.
In plain English, it is the last time the file was accessed in any fashion. Copied, printed, opened, moved, "typed". Generally, the NTFS system resets this "last access time" any time an action is performed on the file. And most activity on a file will cause this time to be reset (within prescribed limits). The examiner must test the operation of each software program used by both the suspect and by himself to determine if any of that software alters last access time. However, last access is ONLY updated on an hourly basis. (What you say!)
But you say, on our computers, last access is turned off by default. True, but it can be reset easily by adjusting a registry key:
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Name: NtfsDisableLastAccessUpdate Type: REG_DWORD Value: 1 (A value of 1 turns last access update off.) Value: 0 (Sets last access update to on. Access dates are updated)
BE ADVISED THAT REGARDLESS OF THE SETTING OF THE KEY, PROGRAMS CAN ALTER THE LAST ACCESS UPDATE AT WILL. THE DEFAULT PARAMETER IS MERELY A GUIDE THAT WINDOWS USES TO SET ITS MAC DATE/TIMES.
I tell you personally, if I was in a corporate environment, I would have last access turned on for all my computers. In the case of problems, I would like to know when items were accessed. (like someone copies a sensitive file to a thumb drive). You will see arguments that last access slows down computer operation. Yes, this slowdown will be noticed when hell freezes over.
Now, let’s look at an example of a file (copy) operation.
Filename Create Modified/Write Access original_source_file_drive1 03/15/2019 10:09:16c 03/15/2019 10:11:29w 03/27/2019 15:07:08a copy1_file_same_drive 04/15/2019 18:03:19c 03/15/2019 10:11:29w 04/15/2019 18:03:19a original_source_after_copy1 03/15/2019 10:09:16c 03/15/2019 10:11:29w 04/15/2019 18:03:19a copied_to_drive2_thumb 04/15/2019 18:09:51c 03/15/2019 10:11:29w 04/15/2019 18:09:51a
Just for reference, after the file was initially copied in step 2. Notice only the access of the source was updated to reflect the file copy time of 04/15/2019 18:03:19a. The same access time set to the destination copy1_file_same_drive which is expected. The access time of the original was updated to reflect the time of the first copy. (18:03:19a) Which now matches the access time of the copy process.
Line 1 is the file data when it was first extracted as evidence to work on. We are assuming the process which got it to that drive location, maintained its original MAC times. It’s your responsibility to find software which will do this.
Then line two we copied the original evidence to a work folder on our drive. Notice the create time was altered to reflect the time we copied it to our work location, and the access on line 2 was also updated to reflect when this copy operation was performed. Two (create, access) of three file times are altered/adjusted in a simple copy operation.
Notice the creation time is changed. Even though it is the same drive, different folder, it is now "CREATED" in this new work location. So we get a new create time. How would this fly in an evidence situation.
Now, the file copied to a completely different medium (line 4). Let’s say, after we performed the analysis, we decide to copy it to a thumb drive for delivery as evidentiary disclosure.
Copying to a completely separate drive resulted in two times being updated. But, notice last write/modified still remains as the original. Why, because we did not modify the file. We just copied it. NOT modified, the modified or write time was not altered, but in both "copy" cases the create time was updated. This is how you get a file that seemingly was created after it was modified. An OxyMoron. This is a source of confusion. How a file can be created after it is modified? The answer lies in the way the operating system maintains its timestamps. Try explaining that a file was modified before it was created to a jury.
In other words: when an original file is copied (using the copy command, File Manager, or one of many “Forensic” copy programs I have tested) the original "last write/modification" time on the new file is unaltered. However, the creation time is, by definition, the current time of the copy, and the last access time is also altered depending on the registry setting.
Now explain this:
Original file’s access after first operation: 04/15/2019 18:03:19a Current access of the COPIED files last operation: 04/15/2019 18:09:51a
A six (6) minute difference of the original access to current access. And why are/is the access date of the original file NOT adjusted to 18:09 during the second copy? Because the 2nd copy took place less than an hour after the first operation. So the operating system didn’t think it necessary to update the access time.
Now that you are thoroughly confused about file times, let’s discuss something else.
Documenting file dates with an inventory
Because file dates may become so important and controversial. At the earliest possible point during the analysis the investigator should create an inventory of all files on the system with their three dates. Be sure the file dates of your files presented to opposing parties is accurate, and be prepared to explain any discrepancies between the files on the original drive, and the file dates on the drive you present to the opposition.
Unfortunately, I can’t find any way to get Windows Explorer to create a nice neat listing of all the file dates on a computer. But I wouldn’t want to use Explorer anyway. Find a product which can export and/or copy the file dates to/in a file which can be saved, and produced as evidence. I can suggest a few, but I’ll leave that as a homework assignment. Know what dates your software changes or maintains when it creates discovery data for your case.
Final things to think about:
For FAT32 file systems which are still seen on some smaller and older thumb drives, for the last access date and time field, only the date is maintained. The last access time on FAT32 file systems is always 00:00.
Programs can generally alter the file times at will. And file times may be very important to your case. And you may be asked to define and explain file times which you provide as evidence in court.
Setting/resetting the last access time could have evidentiary consequences, and the user should be certain that a sound explanation is available.
Now, here is the file date structure of a file being copied with a reliable forensic copy program. Notice no times were altered during the process.
Filename Create Modified/Write Access Original_file 03/09/2019 11:02:10c 03/29/2019 14:32:39w 04/12/2019 15:46:39a Copy1_to_same_drive 03/09/2019 11:02:10c 03/29/2019 14:32:39w 04/12/2019 15:46:39a copy2_to_2nd_drive 03/09/2019 11:02:10c 03/29/2019 14:32:39w 04/12/2019 15:46:39a Current_original_file 03/09/2019 11:02:10c 03/29/2019 14:32:39w 04/12/2019 15:46:39a
I think we have reliable copies to two destinations, while maintaining the original date structure of the original, and both copies.