NTFS, Timstamps And Deleted Files


pgm554

New Member
Mar 23, 2007
21
0
#1
I need to know, from a technical standpoint,that when a file is deleted off of an NTFS system,what happens to the time stamp?

If the file is recovered using a forensic program,is the time stamp that is left, only of it's original creation date and not when it was last accessed?

I get the impression that NTFS tracks the access and modification times and stores them in its MFT,then, once the file is deleted, the access dates are removed from NTFS and only the original creation date is there .

Please enlighten.
 

kern

New Member
Mar 9, 2007
567
0
#2
If the file is recovered using a forensic program,is the time stamp that is left, only of it's original creation date and not when it was last accessed? ........ Please enlighten.
Depends on the file. Digital photographs for instance carry all that data for themselves, not as part of a FAT.

Try this:
Create a file on your suggested system
check the timestamps (modified accessed created etc)
Open the file and re save it
check the timestamps again
Delete the file
then
recover the file to another drive
check the timestamps yet again
compare results

The only way to be sure of anything is to do it for yourself, as no-one can really second guess your circumstances.

Kern
 

pgm554

New Member
Mar 23, 2007
21
0
#3
$MFT

<t>From what I have read,you may be able to use the $MFT to reconstruct the timestamps even after a delete.<br/>
<br/>
This can get a bit involved,I just sent an email to the guy that wrote the article on how to properly wipe a disk (CERT guy over at UNLV) and hopefully he can give a bit more insight.<br/>
<br/>
As it turns out ,some wipe programs don't do a good job on the $MFT and it appears as if the $MFT can be used to recover timestamps.<br/>
<br/>
I am consulting on a case where a few illegal images were found on hard drive after being deleted.<br/>
<br/>
I am researching as to whether or not recent access (viewing) can be proved or disproved by the timestamps.</t>
 

kern

New Member
Mar 9, 2007
567
0
#4
ah, sorry, now understand your angle.

Maybe itl work, maybe not. As You say. depends on what wipe program was used.
Heres some good info re what happens with ntfs MFT and such (attributes thus, may still exist) :

sleuthkit.org/sleuthkit/docs/skins_ntfs.html

I've seen it where the file name can be recovered after a multipass wipe of the original file, but its an empty/garbage-filled/zero-byte file so maybe some relevant data can be recovered from the FAT even after Eraser wiped the file..

Have You also considered looking for thumbs.db files.

Details of the original images can be pulled from these files, kept by Windows. If someone has viewed them inside Windows Explorer using the Thumbnail view, they'll be stored and i believe you can glean file info etc .... let me find the link where i read that.

It maybe that some cleaners overlook these files ....

hth

Kern
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu