What is the Modifie...
 
Notifications
Clear all

What is the Modified date telling me...?

6 Posts
4 Users
0 Likes
2,245 Views
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

OK, I know this sounds like a troll question, but its not, please hear me out and if possible help me understand why!

I have a CelleBrite download of an iPhone, and its recovered a load of documents. The documents are marked as live, not deleted. However, I only have a 'Modified Date' on them. Which is fine, in theory. However, more of these docs are known and they are quite old and have been going around for a while. But the modified date is recent, only a few months ago.

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Is it a cellebrite issue? Could I almost use it as an accessed date (which would make sense!) (obvs I can't) any ideas much appreciated.

Thanks,
4R

 
Posted : 26/10/2017 7:14 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Is it a cellebrite issue? Could I almost use it as an accessed date (which would make sense!) (obvs I can't) any ideas much appreciated.

Could it be a restore of a backup (from iCloud or *whatever*)? (or however a "fresh" copy)

Do *all* files on the filesystem have the same (or similar) metadata?

Or this happens only for a subset of them? (like all "documents", or all .pdf's, etc.)

Or only to a subset of .pdf's?

jaclaz

 
Posted : 26/10/2017 7:29 am
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

I like the idea of a backup/restore. There is another, older iPhone from this job!

I've delved a little deeper and it appears they are all in a tmp folder for QuickViewPDF. I wonder if its something to do with this viewer? They are not actually downloaded to the handset by the user, but saved by this viewer for reading live, so maybe a created/accessed date is not actually populated since they are not getting "saved" to the handset (albeit in a tmp folder)

Could this modified date be the viewer doing something to the PDF to make it viewable live? (Just a loose theory)

 
Posted : 26/10/2017 8:30 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Could this modified date be the viewer doing something to the PDF to make it viewable live? (Just a loose theory)

Test it! Digital Forensics is a science. Fetch an iphone, install the app in the appropriate version and test it. Once you have the facts, you can present them in court. Any yes, in theory and practive a lot of apps are modifying timestamps.

best regards,
Robin

 
Posted : 26/10/2017 11:47 am
(@athulin)
Posts: 1156
Noble Member
 

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Most probably because the file (i.e. the file system entity to which the Modified Date information applies) really has changed. But I don't think you can say anything about who or what changed the file contents, or the the time stamp (or whatever else the relevant file system – HFS+? – causes to trigger the time stamp update.)

First Is it unusual to see only Modified Date? Not knowing Cellbrite, I can't be sure, but if you don't see all HFS/HFS+ time stamps, I would suspect something to be wrong. Perhaps in configuration of extracted data, perhaps somewhere else. But you should have an explanation for it.

Next Are resource fork/data fork semantics still used on iOS?

Finally As these apparently were copies of downloaded files per your later posting … can you compare the files you found on the device to their originals?

But that's just me guessing – iOS expertise and possibly Cellebrite is required for this.

 
Posted : 26/10/2017 2:31 pm
(@athulin)
Posts: 1156
Noble Member
 

I've delved a little deeper and it appears they are all in a tmp folder for QuickViewPDF. I wonder if its something to do with this viewer? They are not actually downloaded to the handset by the user, but saved by this viewer for reading live, so maybe a created/accessed date is not actually populated since they are not getting "saved" to the handset (albeit in a tmp folder)

Is that consistent with normal behaviour of iOS or QuickViewPDF? That created/access doesn't get populated because a viewer app wrote them, whereas other apps would cause time stamps to be set.

It sound a bit odd to me, I'm afraid.

However, as the files seem to be cached copies or work copies belonging to a particular app, the question is probably about what that app does when it is used. Does it add attributes at the end of the file 'last page read 12'? Or something like that? If it does, the time stamp is likely to reflect the operation of that app … provided that it can be verified that it actually does do something like that.

Comparing work area copies with originals (perhaps found elsewhere on the device) seems to be highly desirable.

 
Posted : 26/10/2017 2:39 pm
Share: