±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36290
New Yesterday: 2 Visitors: 182

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

A: your opinions plz

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

A: your opinions plz

Post Posted: Jun 29, 05 14:36


I was curious what conclusion everyone would arrive at if they say this in an investigation.

In the recent folder

A:\reallysecretstuff.doc .lnk file

M 6/1/05
A 6/1/05
C 5/31/05

the actual file reallysecretstuff (please forgive the really cheesy name) woulld have times like

M 4/23/05
A 4/23/05
C 4/1/05

Would you think the file was recently copied from the hard drive to a floppy?

A copy from a floppy was recently viewed?

Thank you for your opinions, hope everyone has a good day.
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

Last edited by armresl on Jun 30, 05 03:23; edited 1 time in total

Senior Member

Re: A: your opinions plz

Post Posted: Jun 30, 05 01:29

Hi Armresl,

As anyone with more experience will attest to time stamps can be a dicey subject but from what you’ve provided I would think that the file was copied to floppy on the 31st of May and viewed on the 1st of June.

The MA times of the shortcut will change every time you open the file from floppy but the actual file residing on disk will only have the A time changed ...(unless you modify also).

From testing on an XP (NTFS) system:

- Copying or moving a file from HDD to floppy will change the Access and Create times.
- Cutting or removing the file from HDD to floppy will only change the Access time (CM remain the same) as original.



Re: A: your opinions plz

Post Posted: Jul 02, 05 08:54


if I understand your posting correct, "the actual file reallysecretstuff" is located on the hard drive and you don't have the floppy with reallysecretstuff.doc. You are not quite clear about the location you found this file.

If that is the case, you can say that a file with the name reallysecretstuff.doc was opened at least at 5/31/05 and 1/6/05. I would not speak about a copy of the file if you don't have the actual file. You can only state that the name is the same as.....  

Page 1 of 1