As the subject states, how much do file time stamp matter to a forensics case? If some one finds my collection of "Nazi albino midget Eskimo" porn, does it really mater what the date is? I see timestomp (let me know if there are better tools) lets you change the MACE times of a file in Windows to whatever you want, but if you use the -r option to set the time stamp to the 17th century that's obviously bogus, and setting it far in the future is little good either as far as I can tell. Having a scheduled job of some kind that sets the times a few day later than the current time may be useful, so that when the box is acquired time stamps show files that have changed since the seizure. In a court case, how important are time stamps? Anyone reaally do this for a living that can give me insight?
Thanks, Adrian
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
