Notifications
Clear all

Filesystem Dates

9 Posts
7 Users
0 Likes
1,712 Views
(@ronwpor)
Posts: 1
New Member
Topic starter
 

I’m working on a case where some of the filesystem dates seem to be too old to be possible.

The computer is a MacBook A1278 and from what I find the first of those were manufactured in “Late 2008”.

One of the image files was “Last modified on 11-05-07”.

It doesn’t seem possible for a file to have a last modified date older than the computer it’s on. Is there an explanation for this?

Thank you

 
Posted : 25/07/2019 3:31 pm
(@randomaccess)
Posts: 385
Reputable Member
 

Do a test to see if copying or moving a file preserves the modification dates like it does on windows

 
Posted : 25/07/2019 10:41 pm
pr3cur50r
(@pr3cur50r)
Posts: 28
Eminent Member
 

Can you provide further information or metadata regarding the image file?
Is this a user created image copied to the system or an operating system image?

 
Posted : 25/07/2019 11:57 pm
(@deefir)
Posts: 49
Eminent Member
 

It doesn’t seem possible for a file to have a last modified date older than the computer it’s on. Is there an explanation for this?
Thank you

I setup a Dell XPS with Windows 10 on the 1st July 2019. I take a photo that I took on the 1st January 2019 and transfer it to my computer.

Assuming the photo wasn't modified after being captured, the modified date of the photo (the date it was digitised) will be before the date my computer was setup.

Another example - Windows system files. Have a look through core system files (DLLs for example) and you'll see that some old files have modified dates well before the system was setup. My system was setup a couple of years ago, and I have core DLLs which have modified dates in early 2010 (before my system existed).

Filesystem data remains when it is transferred onto compatible filesystems.

 
Posted : 26/07/2019 1:34 am
(@athulin)
Posts: 1156
Noble Member
 

It doesn’t seem possible for a file to have a last modified date older than the computer it’s on. Is there an explanation for this?

Yes.

You must know how timestamps enter this kind of system. You seem to believe that they are created by the system itself, that the clock they're created from is always true, and so they necessarily must show time past the 'birth' of the system. With that interpretation, modification date time stamp would indeed be closely connected to the computer system, not the file, or the file data.

Many files (or file data) on any computer systems have an existence outside it, such as system executables. If the installation mechanism of these files restores the timestamps they have 'outside', that could be one explanation. (I've seen this in work on a Windows system that was 'known' to have been turned off for about a 9 months. Once it was turned on and connected to a network, it downloaded and installed a lot of patches, with timestamps from the period the system had been shut down, giving an appearance of activity during that time. Consider installing a patch set first thing after 'birthing' the computer system – you may want to investigate if that affects the timestamps and how.)

Other mechanisms are related to backups restore a backup and you typically restore all or most of the timestamps.

Yet other may be file archives from other sources. Exactly what timestamps this affect depends on many things, so this needs to be researched platform by platform, tool by tool. But I see nothing technically impossible about 'modification date' being restored when such a file archive is opened and file extracted.

If you are fit to do forensic analysis on a MacBook, you should be able to come up with another three mechanisms on your own.

Ideally, as help in your work, you should have some kind of SOP that helps you identify all relevant mechanisms on the system being investigated that set timestamps to something that isn't 'local time', and possibly also how to eliminate each of them in cases where finding deliberate and intentional modification is important.

As you have not identified the relevant files in any way, I have ignored some obvious situations where explanations above may not apply. You may want to disentangle those on your own.

 
Posted : 26/07/2019 5:07 am
(@athulin)
Posts: 1156
Noble Member
 

Filesystem data remains when it is transferred onto compatible filesystems.

That does not sound like a useful platform for conducting investigations.

It is the mechanism that does the transfer that decides if filesystem metadata is affected, what metadata actually is affected, and under what circumstances that happens.

'Compatibility' is created by mechanisms that transfer the 'right' data that makes this more or less invisible to the user. (On Windows, Windows Shell is responsible for a whole lot of cross-filesystem compatibility, while DOS-level commands generally do not.)

 
Posted : 26/07/2019 5:17 am
(@deefir)
Posts: 49
Eminent Member
 

Filesystem data remains when it is transferred onto compatible filesystems.

That does not sound like a useful platform for conducting investigations.

It is the mechanism that does the transfer that decides if filesystem metadata is affected, what metadata actually is affected, and under what circumstances that happens.

'Compatibility' is created by mechanisms that transfer the 'right' data that makes this more or less invisible to the user. (On Windows, Windows Shell is responsible for a whole lot of cross-filesystem compatibility, while DOS-level commands generally do not.)

Incompatible filesystems like HFS v NTFS or HFS v FAT32 results in the host system handling those files in a manner due to inherent incompatibility of the filesystems, not their host's mechanism to handle those files (which cannot be avoided due to the underlying incompatibility).

 
Posted : 26/07/2019 5:28 am
(@rich2005)
Posts: 535
Honorable Member
 

I’m working on a case where some of the filesystem dates seem to be too old to be possible.

The computer is a MacBook A1278 and from what I find the first of those were manufactured in “Late 2008”.

One of the image files was “Last modified on 11-05-07”.

It doesn’t seem possible for a file to have a last modified date older than the computer it’s on. Is there an explanation for this?

Thank you

Yes it's easily possible.
Date and timestamps are a total nightmare / minefield in general.
You definitely should read up a lot more on timestamps if you're asking if it's possible though (not being aware of the myriad of ways a timestamp might not be what you expect, or interpret it to mean, is a quick way to get yourself into hot water later).

A blog post, with them trying to get to grips with some Mac timestamps, to get you going
https://forensic4cast.com/2016/10/macos-file-movements/

 
Posted : 26/07/2019 3:20 pm
(@trewmte)
Posts: 1877
Noble Member
 

I’m working on a case where some of the filesystem dates seem to be too old to be possible.

https://hackernoon.com/how-to-change-a-file-s-last-modified-and-creation-dates-on-mac-os-x-494f8f76cdf4

 
Posted : 27/07/2019 6:55 am
Share: