How to determine if File Creation Date is correct


bgrazier

New Member
Jun 6, 2006
3
0
#1
Is it possible to determine if a file creation date is correct, or at the very least plausible? Clearly one may change their system date/time, create a file on this "incorrect date", and then change their system date/time back afterwards. In this instance the file creation date will be this "incorrect date". However, I am hoping there may be a way to prove whether (and when) such a system date change took place, or determine through FAT analysis that the sequence of FAT entries in which subject file was first saved proves that the file creation date is not plausible (for example, 10 files created on 1/1/06 followed by subject file "created on" 1/1/05, followed by 10 files created on 1/2/06 might sucggest that the actual creation date of subject file was NOT 1/1/05, but rather 1/1/06 or 1/2/06) . Any ideas/suggestions/references/tools would be greatly appreciated. -BG
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#2
Hi B,

One of the first things we do is find evidence of (regular) time-sync activity.

Some documents when created/opened .LNK files are created. The timestamps of these files should correspond with the file you are researching (if a corresponding .LNK file is present).

Also, depending on the filetype, it is possible Metadata can shed some light on creation date/time.

It is hard to spot manual time changes. If someone wants to trick a forensic investigator it is certainly possible.

Cheers,

Chris
 
Aug 19, 2005
6
0
#3
You might also find some information in the userassist registry key.

If you suspect the person has changed the time using the date and time CPL (either in the control panel or bottom right of taskbar) you can try and correlate the windows 64 bit time stamp for the userassist enter (try using decode.exe from digital detectives) and hope it matches up around the times you think the person may have changed the files.

If for example you change your date from June 2006 to June 2000 and then change it back...from what I have seen the last userassist entery date (timestamp wise) is the June 2000 one. Nothing definitive, and you may want to test this yourself a number of ways as I have just run some basics...

I can't remember if there is a prefetch entry as well (I did a quick time change and nothing showed up) so...

Hope it helps:

Userassist value for date and time(cpl) is: HRZR_EHAPCY:gvzrqngr.pcy
The second eight bytes are your 64 bit time stamp.

All this assuming you are using XP…

Hope it helps.
 

nitinchfi

New Member
Nov 12, 2005
123
0
#4
andy1500mac said:
You might also find some information in the userassist registry key.

If you suspect the person has changed the time using the date and time CPL (either in the control panel or bottom right of taskbar) you can try and correlate the windows 64 bit time stamp for the userassist enter (try using decode.exe from digital detectives) and hope it matches up around the times you think the person may have changed the files.

If for example you change your date from June 2006 to June 2000 and then change it back...from what I have seen the last userassist entery date (timestamp wise) is the June 2000 one. Nothing definitive, and you may want to test this yourself a number of ways as I have just run some basics...

I can't remember if there is a prefetch entry as well (I did a quick time change and nothing showed up) so...

Hope it helps:

Userassist value for date and time(cpl) is: HRZR_EHAPCY:gvzrqngr.pcy
The second eight bytes are your 64 bit time stamp.

All this assuming you are using XP…

Hope it helps.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}\Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

the keys u will find are encrypted in an old fashion called as ROT13 encryption, which is basically charachter shifting by 13,

Google for more info on ROT13,

also, there are many C and Perl and PHP scripts to get you the decrypted values.

Hope this helps
 

saxon68

New Member
Feb 14, 2007
39
0
#5
Also another kinda silly way of checking, but if you have files that are "older" than the ones put on the machine when windows was installed, could that indicate a bit of mucking with the time system?
 

RobertR

New Member
Jun 3, 2007
447
0
#7
Time Shifting

<t>Yo could also look to see if there was internet related activity at the same time..... Things like e-mails or web browsing.... look at the e-mail headers and or index.dat entires and the times should be in UTC.... E-mail hops in e-mail headers will always show the time stamp of the MTA when it hits it.... kind of telling when the hops before it hits your client show times that it sent the mail several months or years after your suspect computer received it.</t>
 

slackspace

New Member
Jun 19, 2006
9
0
#8
I also look over the .evt logs to see if there are abnormalities as well as the windowsupdate.log. There are too many tracks to cover if they were to change date/times on the machine.
 

athulin

Member
Experienced Member
Oct 18, 2007
733
Ratings
10
18
#10
saxon68 said:
Also another kinda silly way of checking, but if you have files that are "older" than the ones put on the machine when windows was installed, could that indicate a bit of mucking with the time system?
It could. But just as files 'created' during a period when a computer was known to be turned off, it is often files that have been installed (or restored) along with their original time stamps. Windows Update does that for example.

Deeper analysis is needed to decide what has actually taken place.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu