MAC Times
 Modification
(mtime)
 When the file contents were CHANGED

Change = addition or deletion or change of any single
BYTE/Character… even if it doesn’t change to meaning of a file
 For example: adding a single extra space to a term paper, it still
reads the same, however has been altered
 Access
(atime)
 The time the file was last “touched”, even if not changed
 Creation
(ctime)
 The timestamp of a file’s creation on a “volume” (disk)
Timestamps
 Operating system dependent
 Ex:
 Windows bases a timestamp on elapsed time since

Jan 01, 1601
Midnight
 Time elapsed in nanoseconds (billionths of a second)
 MACs timestamps require a different “algorithm”
(formula) for conversion to calendar date/time
Granularity
 Refers to the “precision” of our time
 how small a window of time (day/hour/minute/second)
 Dependent on Operating System
 Dependent on File System
 Windows XP


Can use NTFS file system to record files on the disk
Can us FAT32 to record files on the disk

FAT32 typically used for removable media, such as USB or Flash Cards
(such as in cameras)
 Forensic software (or the analyst) needs to know the systems
involved in order to interpret the time properly
 Atime can be precise to the *date*, but perhaps not a time of day
 Ctime can note the actual time and date down to 2/100’s of a
second (depending on Operating System)
Discrepancies
 File’s ctime occurs *after* the atime or mtime
 Possible if:


Somebody played with the timestamps
The file was moved/copied to another “volume” (disk)
 It’s “created” on that new disk at that date/time, but OS and
File System might retain the original atime and mtime
 Windows Vista
 Default indicates that the update of the atime is turned
off by default

Not necessarily intentional on the part of the user to hide the
time details!
Discrepancies
 Examination of the contents of a file might indicate that the file
was not created or modified when the timestamp claims it was
 Content of the document list a date or time indicating a creation
prior to the “external” time

Might indicate an effort to hide or “forge” the time of a file
 Is the date or time inside the file itself a result of the user’s effort (he
or she typed it), or did the software package being used insert it?
 Remember:
 Timestamps are based on the computer’s system time

If the system time if “off”, the file timestamps will also be “off” in
relation to real time
 Do timezone differences come into play?
 Do we need to consider Daylight Savings Time?

Not for the CSI Challenge!!!
CSI Challenge
 The assumption is that any obvious time discrepancy
is an effort on the part of a investigation’s subject to
hide or obfuscate details
 NOTE:
 You will receive a note in your packet (along with the
investigator’s CD) which outlines how you should view
times in terms of evaluating your investigation


For example, you might be directed to specifically ignore
certain timestamps only
Do not ignore, unless specifically directed to do so!!!