I was wondering if there was some kind of file audit program for windows that will show the true file creation date? Have a number of files to look at for SLT which i need to be able to show the true creation date of for?
first of all how accurate can i be? If a user sets the date as 1st of December 2001 today and creates a file that is obviously the creation date? even if it is the 4th sept 2006?
Has anyone come across this problem before?
Dan
I need a program that will show, file name, date created, deate modified and last acessed, plus size etc, in a report i.e. print-out!
any ideas?
Windows file systems do not record access times. You can only get that feature on a real OS.
That limitation aside, what about a vbs macro that imports into an excel spreadsheet? Should be pretty easy to whip up.
NTFS records timestamps for: Modified, Accessed, Created and MFT Entry Modified. You get the first three (MAC times) via Explorer "Choose Details" or by using the command line "DIR /T" option.
Various forensics tools can display the fourth timestamp (and so can at least one freebie anti-forensics utility that can change all four of them).
I'm no expert but I don't believe there's an easy way to find out about system time changes... you have to find that indirectly via timestamp discrepencies in places like recycle bins, IE caches and so on.
Yes i can acomplish this, is this a serious occurance or just interested on how to do it.
Mitch
this is a serious incident, although files accessed are nothing serious, we need to know wether these files were created in "school" time.
Hopefully you can help
Not true. You need to enable auditing and set the events you want audited, but it can be done.Originally Posted by Geoff
Windows file systems do not record access times. You can only get that feature on a real OS.
A quick google for 'MFT Entry Modified' has turned up this... any use?
EDIT:Oops! Just realized that SleuthKit is a Linux thing./EDIT
if you turn on auditing the performance will go through the floor.
Well, we have experimented with auditing on SIMS servers and not had any problems. I think it depends on what you audit.
Again I'd just open a DOS box, run something like and make your masters read the (printed) output of:
>dir /tc /s "c:\path_to_suspect_files" > a:\creationtimes.txt
IMNSHO I think "serious incident" and "files are nothing serious" are mutually exclusive.
The files themselves could easily be trivial, but the access to the system serious. Or conversly, the claim that they were written in school time could be the critical part, but what was actually written irrelevant.
Ok Dan
Can you give me a ring on 07765782749, BTW everyone forget the audit side of 2003 not applicable !!!!!.
Mitch
::disclaimer:: The following discussion has no known relation to the OPs scenario.
> The files themselves could easily be trivial, but the access to the
> system serious.
Unauthorised access to systems is supposed to be serious in the criminal sense. Shouldn't you call the cops so they can take away all your computers and lose bits...?
> Or conversly, the claim that they were written in school time
> could be the critical part,
Whereas it would have been fine in their own time five mins after the bell? IME that typically means A thinks B is playing/something rather than doing real work.. and I think it's better to approach that by properly managing what work B has done (or not done)... and save the tech from being perceived as a net-facist who spys on you.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks