±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35514
New Yesterday: 1 Visitors: 111

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

What is the Modified date telling me...?

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

4Rensics
Senior Member
 

What is the Modified date telling me...?

Post Posted: Oct 26, 17 07:14

OK, I know this sounds like a troll question, but its not, please hear me out and if possible help me understand why!

I have a CelleBrite download of an iPhone, and its recovered a load of documents. The documents are marked as live, not deleted. However, I only have a 'Modified Date' on them. Which is fine, in theory. However, more of these docs are known and they are quite old and have been going around for a while. But the modified date is recent, only a few months ago.

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Is it a cellebrite issue? Could I almost use it as an accessed date (which would make sense!) (obvs I can't) any ideas much appreciated.

Thanks,
4R  
 
  

jaclaz
Senior Member
 

Re: What is the Modified date telling me...?

Post Posted: Oct 26, 17 07:29

- 4Rensics

I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?

Is it a cellebrite issue? Could I almost use it as an accessed date (which would make sense!) (obvs I can't) any ideas much appreciated.


Could it be a restore of a backup (from iCloud or *whatever*)? (or however a "fresh" copy)

Do *all* files on the filesystem have the same (or similar) metadata?

Or this happens only for a subset of them? (like all "documents", or all .pdf's, etc.)

Or only to a subset of .pdf's?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

4Rensics
Senior Member
 

Re: What is the Modified date telling me...?

Post Posted: Oct 26, 17 08:30

I like the idea of a backup/restore. There is another, older iPhone from this job!

I've delved a little deeper and it appears they are all in a tmp folder for QuickViewPDF. I wonder if its something to do with this viewer? They are not actually downloaded to the handset by the user, but saved by this viewer for reading live, so maybe a created/accessed date is not actually populated since they are not getting "saved" to the handset (albeit in a tmp folder)

Could this modified date be the viewer doing something to the PDF to make it viewable live? (Just a loose theory)  
 
  

Bunnysniper
Senior Member
 

Re: What is the Modified date telling me...?

Post Posted: Oct 26, 17 11:47

- 4Rensics


Could this modified date be the viewer doing something to the PDF to make it viewable live? (Just a loose theory)


Test it! Digital Forensics is a science. Fetch an iphone, install the app in the appropriate version and test it. Once you have the facts, you can present them in court. Any yes, in theory and practive a lot of apps are modifying timestamps.

best regards,
Robin  
 
  

athulin
Senior Member
 

Re: What is the Modified date telling me...?

Post Posted: Oct 26, 17 14:31

- 4Rensics
I would happily stand up in court and say this person did not actually modify these docs (PDFs) but I'm confused as to why its got a recent date in the modified date?


Most probably because the file (i.e. the file system entity to which the Modified Date information applies) really has changed. But I don't think you can say anything about who or what changed the file contents, or the the time stamp (or whatever else the relevant file system -- HFS+? -- causes to trigger the time stamp update.)

First: Is it unusual to see only Modified Date? Not knowing Cellbrite, I can't be sure, but if you don't see all HFS/HFS+ time stamps, I would suspect something to be wrong. Perhaps in configuration of extracted data, perhaps somewhere else. But you should have an explanation for it.

Next: Are resource fork/data fork semantics still used on iOS?

Finally: As these apparently were copies of downloaded files per your later posting ... can you compare the files you found on the device to their originals?

But that's just me guessing -- iOS expertise and possibly Cellebrite is required for this.  
 
  

athulin
Senior Member
 

Re: What is the Modified date telling me...?

Post Posted: Oct 26, 17 14:39

- 4Rensics
I've delved a little deeper and it appears they are all in a tmp folder for QuickViewPDF. I wonder if its something to do with this viewer? They are not actually downloaded to the handset by the user, but saved by this viewer for reading live, so maybe a created/accessed date is not actually populated since they are not getting "saved" to the handset (albeit in a tmp folder)


Is that consistent with normal behaviour of iOS or QuickViewPDF? That created/access doesn't get populated because a viewer app wrote them, whereas other apps would cause time stamps to be set.

It sound a bit odd to me, I'm afraid.

However, as the files seem to be cached copies or work copies belonging to a particular app, the question is probably about what that app does when it is used. Does it add attributes at the end of the file 'last page read: 12'? Or something like that? If it does, the time stamp is likely to reflect the operation of that app ... provided that it can be verified that it actually does do something like that.

Comparing work area copies with originals (perhaps found elsewhere on the device) seems to be highly desirable.  
 

Page 1 of 1