totoroha
asked on
check modified time
Hi,
when a file was tampered by someone and they changed the modified time, how can you track the original time of the files that been created? I mean in the security environment, when an security analyst check the integrity of the files.
Thank you so much
when a file was tampered by someone and they changed the modified time, how can you track the original time of the files that been created? I mean in the security environment, when an security analyst check the integrity of the files.
Thank you so much
In addition to the "Modified" timestamp there is a "Created" timestamp. If they only changed the Modified timestamp, then you would still know when the file was created by looking at the Created timestamp. But I don't really know of any way to determine if those two values were tampered with unless you have a second unaltered copy of the same file.
ASKER
there are 3 values that we can check: created, modified, and accessed. so how can we verify its originality?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you can find a link file (shortcut) associated with the file of interest, such as those located in the 'recent documents' folder, it may have the verification timestamps you're looking for. A link file not only tells you when it was created, but keeps a copy of the timestamps of the file that it points to. See this article for Linkfile In Forensic Examination details: http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf