baleman2
asked on
How do I find the date and time a File/Folder/Software was copied or installed on a Windows 2008 server?
Unless I'm missing something very obvious, I'm dabbling a bit in computer forensics on one of our company servers. I'm trying to determine the date that Folders/Files were copied from a DVD to a shared folder on the server's hard drive.
A Right-Click on the Folder with a look at "Properties" provides me with Date Created. However, the date shown here just doesn't jibe with the memory of those end users who initially used Copy/Paste to place the folder on the hard drive from the DVD.
Is there any way that the Server would have recorded this information?
A Right-Click on the Folder with a look at "Properties" provides me with Date Created. However, the date shown here just doesn't jibe with the memory of those end users who initially used Copy/Paste to place the folder on the hard drive from the DVD.
Is there any way that the Server would have recorded this information?
Brent Arnold
Is the date/time of the created folder before or after the customer's recollection? I've never seen a folder take a date/time PRIOR to it's true created date. Sometimes editing a folder will reflect a later date, but that's not necessarily the same as date created.
ASKER
We have documentation requesting that this Folder (full of Adobe PDF templates) be installed on a particular date in July 2012. Properties of the Folder show "Date Created" to be February 2013. We don't believe the person responsible for the Copy/Paste procedure would have waited that many months to complete such a simple task. Because of the information contained within the folder, it's important that we find the date, if possible, of installation.
If the folder was moved it takes the created date of the move, modified date is also the date of the move. ie if you move a folder today(and move it back if you like), it takes today's date for created and modified.
ASKER
To Angela:
So, let me get a bit more specific. Pick the date of October 1, 2013. I drop a DVD into the drive that contains a folder named "TEST". It has 20 subfolders, which, in turn, have 20 different .pdf files in each subfolder. Let's call one of these subfolders "SUB1".
When I copy the "TEST" folder from the DVD to a shared drive on the server, the "Date Created" for the "TEST" folder is October 1, 2013. Does this date remain static forever? That is, if I open the subfolder named "SUB1" and modify/save some of the .pdf files contained in that subfolder, what, if anything happens to the "Date Created" and "Date Modified" properties of the main folder named "TEST"?
Our issue is that we need to know with some certainty that the "TEST" folder was absolutely moved to the server on October 1, 2013.
So, let me get a bit more specific. Pick the date of October 1, 2013. I drop a DVD into the drive that contains a folder named "TEST". It has 20 subfolders, which, in turn, have 20 different .pdf files in each subfolder. Let's call one of these subfolders "SUB1".
When I copy the "TEST" folder from the DVD to a shared drive on the server, the "Date Created" for the "TEST" folder is October 1, 2013. Does this date remain static forever? That is, if I open the subfolder named "SUB1" and modify/save some of the .pdf files contained in that subfolder, what, if anything happens to the "Date Created" and "Date Modified" properties of the main folder named "TEST"?
Our issue is that we need to know with some certainty that the "TEST" folder was absolutely moved to the server on October 1, 2013.
I will try the affect of touching files in the subfolder tomorrow and report back.
What I can definitely tell you is that if the test folder itself was moved, perhaps by accidentally dragging it under anothet folder, and then moved back, it will take on the created date of the move- not when it was first created on the machine.
I had a quick look for other date attributes but there only seem to be created, modified and accessed, no help to you.
Can you perhaps locate othet files that may havr used the templates and get some sort of cross check from them?
What I can definitely tell you is that if the test folder itself was moved, perhaps by accidentally dragging it under anothet folder, and then moved back, it will take on the created date of the move- not when it was first created on the machine.
I had a quick look for other date attributes but there only seem to be created, modified and accessed, no help to you.
Can you perhaps locate othet files that may havr used the templates and get some sort of cross check from them?
I know this is a silly question but do you have no form of incremental backup to look up the history of this file?
ASKER
We backup nightly to a DPM server, but keep only 4 consecutive days of backups. We're attempting to establish the date that this folder was first copied to the Server's hard drive. We know this occurred sometime in 2013. The DPM server wouldn't help me here, would it?
I know that you only keep 4 consecutive days of backups, but it doesn't necessarily mean you only have 4 days of backup reports. My backups send a report of each transaction. I didn't know if you could look at the backup reports for your answer.
Apologies, I cannot recreate the date change I'm sure I had yesterday.
Today I created c:\test waited one minute and created test\sub, one more minute and created a file under sub.
Test create date has not changed. Test modified date is altered when a subfolder is added or moved. The creation date remains, even moving the folder keeps the create date to when it was created on the machine.
There are utility programs which allow you to alter all dates and times, but I can't imagine why someone would have altered that folder.
I can think of a few possibilities for you:
User had a replacement machine or new disk or a rebuild - check company records/other folder dates on the machine.
User intended to do the copy but the dvd was unobtainable until later - check other emails around that date perhaps trying to locate the disk, or chasing the job to see if it was copied yet.
Copy was done but to the wrong location and not discovered until 2012 when it was corrected.
A software update caused the date change - may be able to check update release dates of the product.
I would check all the date ranges on the machine to see if there could have been a significant rebuild and check all communication around your two dates looking for any mention of activity involving the program, the templates, or the dvd/copying job.
(still trying to alter the create date in some way).
Today I created c:\test waited one minute and created test\sub, one more minute and created a file under sub.
Test create date has not changed. Test modified date is altered when a subfolder is added or moved. The creation date remains, even moving the folder keeps the create date to when it was created on the machine.
There are utility programs which allow you to alter all dates and times, but I can't imagine why someone would have altered that folder.
I can think of a few possibilities for you:
User had a replacement machine or new disk or a rebuild - check company records/other folder dates on the machine.
User intended to do the copy but the dvd was unobtainable until later - check other emails around that date perhaps trying to locate the disk, or chasing the job to see if it was copied yet.
Copy was done but to the wrong location and not discovered until 2012 when it was corrected.
A software update caused the date change - may be able to check update release dates of the product.
I would check all the date ranges on the machine to see if there could have been a significant rebuild and check all communication around your two dates looking for any mention of activity involving the program, the templates, or the dvd/copying job.
(still trying to alter the create date in some way).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry for double post, I'm blaming the new site look and feel!
Unlikely but possible.
Right click folder Send to>compressed/zipped folder.
Delete the original and unzip the compressed one. The create date is when it was unzipped, files within it keep their original date.
Right click folder Send to>compressed/zipped folder.
Delete the original and unzip the compressed one. The create date is when it was unzipped, files within it keep their original date.