check modified time

Posted on 2012-09-06
Last Modified: 2012-09-13

when a file was tampered by someone and they changed the modified time, how can you track the original time of the files that been created? I mean in the security environment, when an security analyst check the integrity of the files.

Thank you so much
Question by:totoroha
    LVL 12

    Expert Comment

    In addition to the "Modified" timestamp there is a "Created" timestamp.  If they only changed the Modified timestamp, then you would still know when the file was created by looking at the Created timestamp.  But I don't really know of any way to determine if those two values were tampered with unless you have a second unaltered copy of the same file.

    Author Comment

    there are 3 values that we can check: created, modified, and accessed. so how can we verify its originality?
    LVL 60

    Accepted Solution

    If regards to NTFS, the "true" file MACE information would be to pull the time stamps from the $FILE_NAME attribute (perform by Windows) and compare them to the ones I was looking at from NTFS' $STANDARD_INFORMATION (can be manipulated by tool) attribute.

    Typical tool that can manipulate timestamp is timestomp. It cannot be used directly to modify all 8 timestamp values, four of which lies in $STANDARD_INFORMATION attribute of an MFT entry, and other four in $FILE_NAME attribute. But if you check the link below it can eventually make the all 8 the same ... so there is need to trace back..

    I suggest checking this discussion which you can find it useful as it highlighted tools and things to note in tracing
    LVL 9

    Expert Comment

    If you can find a link file (shortcut) associated with the file of interest, such as those located in the 'recent documents' folder, it may have the verification timestamps you're looking for. A link file not only tells you when it was created, but keeps a copy of the timestamps of the file that it points to. See this article for Linkfile In Forensic Examination details:

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now