Академический Документы
Профессиональный Документы
Культура Документы
Change = addition or deletion or change of any single BYTE/Character even if it doesnt change to meaning of a file For example: adding a single extra space to a term paper, it still reads the same, however has been altered
Access (atime) The time the file was last touched, even if not changed Creation (ctime) The timestamp of a files creation on a volume (disk)
Timestamps
Operating system dependent
Ex: Windows bases a timestamp on elapsed time since
Granularity
Refers to the precision of our time how small a window of time (day/hour/minute/second) Dependent on Operating System Dependent on File System Windows XP
Can use NTFS file system to record files on the disk Can us FAT32 to record files on the disk
FAT32 typically used for removable media, such as USB or Flash Cards (such as in cameras)
Atime can be precise to the *date*, but perhaps not a time of day Ctime can note the actual time and date down to 2/100s of a
Discrepancies
Files ctime occurs *after* the atime or mtime Possible if:
Somebody played with the timestamps The file was moved/copied to another volume (disk) Its created on that new disk at that date/time, but OS and File System might retain the original atime and mtime
Windows Vista Default indicates that the update of the atime is turned off by default
Not necessarily intentional on the part of the user to hide the time details!
Discrepancies
Examination of the contents of a file might indicate that the file
Is the date or time inside the file itself a result of the users effort (he
or she typed it), or did the software package being used insert it?
If the system time if off, the file timestamps will also be off in relation to real time
Do timezone differences come into play? Do we need to consider Daylight Savings Time?
CSI Challenge
The assumption is that any obvious time discrepancy
investigators CD) which outlines how you should view times in terms of evaluating your investigation
For example, you might be directed to specifically ignore certain timestamps only Do not ignore, unless specifically directed to do so!!!