?
Solved

check modified time

Posted on 2012-09-06
4
Medium Priority
?
452 Views
Last Modified: 2012-09-13
Hi,

when a file was tampered by someone and they changed the modified time, how can you track the original time of the files that been created? I mean in the security environment, when an security analyst check the integrity of the files.

Thank you so much
0
Comment
Question by:totoroha
4 Comments
 
LVL 12

Expert Comment

by:Seaton007
ID: 38372902
In addition to the "Modified" timestamp there is a "Created" timestamp.  If they only changed the Modified timestamp, then you would still know when the file was created by looking at the Created timestamp.  But I don't really know of any way to determine if those two values were tampered with unless you have a second unaltered copy of the same file.
0
 

Author Comment

by:totoroha
ID: 38372926
there are 3 values that we can check: created, modified, and accessed. so how can we verify its originality?
0
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 38374730
If regards to NTFS, the "true" file MACE information would be to pull the time stamps from the $FILE_NAME attribute (perform by Windows) and compare them to the ones I was looking at from NTFS' $STANDARD_INFORMATION (can be manipulated by tool) attribute.

Typical tool that can manipulate timestamp is timestomp. It cannot be used directly to modify all 8 timestamp values, four of which lies in $STANDARD_INFORMATION attribute of an MFT entry, and other four in $FILE_NAME attribute. But if you check the link below it can eventually make the all 8 the same ... so there is need to trace back..

http://www.forensicswiki.org/wiki/Timestomp

I suggest checking this discussion which you can find it useful as it highlighted tools and things to note in tracing

http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 38395878
If you can find a link file (shortcut) associated with the file of interest, such as those located in the 'recent documents' folder, it may have the verification timestamps you're looking for. A link file not only tells you when it was created, but keeps a copy of the timestamps of the file that it points to. See this article for Linkfile In Forensic Examination details: http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question