+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Computer Forensics in Technical; I was wondering if there was some kind of file audit program for windows that will show the true file ...
  1. #1

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    30

    Computer Forensics

    I was wondering if there was some kind of file audit program for windows that will show the true file creation date? Have a number of files to look at for SLT which i need to be able to show the true creation date of for?

    first of all how accurate can i be? If a user sets the date as 1st of December 2001 today and creates a file that is obviously the creation date? even if it is the 4th sept 2006?

    Has anyone come across this problem before?

    Dan

  2. #2

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    30

    Re: Computer Forensics

    I need a program that will show, file name, date created, deate modified and last acessed, plus size etc, in a report i.e. print-out!

    any ideas?

  3. #3

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Re: Computer Forensics

    Windows file systems do not record access times. You can only get that feature on a real OS.

    That limitation aside, what about a vbs macro that imports into an excel spreadsheet? Should be pretty easy to whip up.

  4. #4

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Computer Forensics

    NTFS records timestamps for: Modified, Accessed, Created and MFT Entry Modified. You get the first three (MAC times) via Explorer "Choose Details" or by using the command line "DIR /T" option.

    Various forensics tools can display the fourth timestamp (and so can at least one freebie anti-forensics utility that can change all four of them).

    I'm no expert but I don't believe there's an easy way to find out about system time changes... you have to find that indirectly via timestamp discrepencies in places like recycle bins, IE caches and so on.

  5. #5

    Join Date
    Feb 2006
    Location
    Leeds
    Posts
    39
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Computer Forensics

    Yes i can acomplish this, is this a serious occurance or just interested on how to do it.

    Mitch

  6. #6

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    30

    Re: Computer Forensics

    this is a serious incident, although files accessed are nothing serious, we need to know wether these files were created in "school" time.

    Hopefully you can help

  7. #7
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Computer Forensics

    Quote Originally Posted by Geoff
    Windows file systems do not record access times. You can only get that feature on a real OS.
    Not true. You need to enable auditing and set the events you want audited, but it can be done.

  8. #8
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Computer Forensics

    A quick google for 'MFT Entry Modified' has turned up this... any use?

    EDIT:Oops! Just realized that SleuthKit is a Linux thing./EDIT

  9. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Re: Computer Forensics

    if you turn on auditing the performance will go through the floor.

  10. #10
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Computer Forensics

    Well, we have experimented with auditing on SIMS servers and not had any problems. I think it depends on what you audit.

  11. #11

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Computer Forensics

    Again I'd just open a DOS box, run something like and make your masters read the (printed) output of:

    >dir /tc /s "c:\path_to_suspect_files" > a:\creationtimes.txt

    IMNSHO I think "serious incident" and "files are nothing serious" are mutually exclusive.

  12. #12

    Andrew_C's Avatar
    Join Date
    Sep 2005
    Location
    Winchester
    Posts
    3,095
    Thank Post
    64
    Thanked 407 Times in 308 Posts
    Rep Power
    166

    Re: Computer Forensics

    The files themselves could easily be trivial, but the access to the system serious. Or conversly, the claim that they were written in school time could be the critical part, but what was actually written irrelevant.

  13. #13

    Join Date
    Feb 2006
    Location
    Leeds
    Posts
    39
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Computer Forensics

    Ok Dan

    Can you give me a ring on 07765782749, BTW everyone forget the audit side of 2003 not applicable !!!!!.

    Mitch

  14. #14

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Computer Forensics

    ::disclaimer:: The following discussion has no known relation to the OPs scenario.

    > The files themselves could easily be trivial, but the access to the
    > system serious.

    Unauthorised access to systems is supposed to be serious in the criminal sense. Shouldn't you call the cops so they can take away all your computers and lose bits...?

    > Or conversly, the claim that they were written in school time
    > could be the critical part,

    Whereas it would have been fine in their own time five mins after the bell? IME that typically means A thinks B is playing/something rather than doing real work.. and I think it's better to approach that by properly managing what work B has done (or not done)... and save the tech from being perceived as a net-facist who spys on you.



SHARE:
+ Post New Thread

Similar Threads

  1. Computer Benching
    By mtdmitchell in forum Recommended Suppliers
    Replies: 10
    Last Post: 21st July 2007, 01:00 AM
  2. Computer Funnies
    By timbo343 in forum General Chat
    Replies: 22
    Last Post: 14th February 2007, 04:37 PM
  3. Computer keeps crashing
    By StewartKnight in forum Windows
    Replies: 15
    Last Post: 18th July 2005, 10:54 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •