While it can create an issue when a user is able to modify timestamps those that they can't change for last access time can prove useful. These stamps can yield information on probs of files not actively looked at by others for evidence of probing for vulnerable configuration settings by a malicious user where they are unable to make modifucations to those files, but have read access to them. This only works on filesystems that record that stamp and didn't shortsitedly disable it (ie Vista) for performance reasons and where automatic processes (indexing, virus scans, etc.) haven't run on them since the incident in question occurred.
On 8/12/09, David Kovar <[email protected]> wrote: > Greetings, > > Timestamps are one clue to a subject's activity but are rarely the > smoking gun, for many reasons. They can be intentionally modified, > various automated processes can update them, the system's clock may be > off (intentionally or accidentally), various actions may not preserve > them, .... > > Used in conjunction with other information, file system or metadata > timestamps can be very useful. If the physical security log at the > front desk shows the subject entering the building 15 minutes before > they log on to the domain server and then the prefetch shows Limewire > running right after that, leading to files being created shortly after > that .... > > -David > > > On Wed, Aug 12, 2009 at 3:14 AM, Jim Halfpenny<[email protected]> > wrote: >> Timestamps may matter a lot if you refute your role in download such >> niche bedtime reading. The old, "A virus must have downloaded it," >> might have less credibillity if timestamps show the files to have been >> created over a considerable period of time. >> >> Remember that evidence in isolation may seem meaningless. If for >> example you have coroborating evidence from browser history, logs or >> ISP records timestamps might provide strong evidence. >> >> Jim >> >> On 12/08/2009, Grymoire <[email protected]> wrote: >>> >>>>As the subject states, how much do file time stamp matter to a forensics >>>>case? If some one finds my collection of "Nazi albino midget Eskimo" >>>> porn, >>>>does it really mater what the date is? >>> >>> I'm not a forensic expert, but as I understand it, >>> Timestamps help paint an accurate recreation of events. >>> >>> An expert describes a series of events, such as entries in the log >>> file, access times, modifications times, etc, registry entries, etc. >>> >>> Some experts say that you can usually re-create an event even if >>> someone tries to hide their traces (i,e, modify timestamps). I think a >>> lot depends on the OS and logging capability. >>> >>> >>> And if the log is stored on a centralized log server, hiding traces are >>> more difficult. >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> -- >> Sent from my mobile device >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Sent from my mobile device _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
