MAC Times Modification (mtime) When the file contents were CHANGED Change = addition or deletion or change of any single BYTE/Character… even if it doesn’t.

Slides:

Advertisements

Similar presentations

2008 CSI Challenge.

Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Macintosh OS X. What is an operating system? O Like cars, computers have operating systems (sometimes abbreviated OS). O A computer operating system is.

Backing up Your Computer Jamie Leben IT-Works Computer Services Copyright 2010.

Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.

Transferring Pictures to Your Computer via USB Cable Mary Pittman Windows Users Install Nikon View (optional) Turn computer on Turn camera off Connect.

CPIT 102 CPIT 102 CHAPTER 1 COLLABORATING on DOCUMENTS.

Save time with templates Create your own templates Say you often use a certain invoice whose basic content stays the same except for certain details that.

File System Analysis.

Return to the Office 2007 web page Lesson 3: Managing Computer Files.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Computer Parts There are many parts that work together to make a computer work.

Operating Systems.

1 USING "UNETBOOTIN" TO MAKE BOOTABLE USB FLASH DRIVES FOR "GNU/LINUX" DISTROS.

Computers They're Not Magic! (for the most part)‏ Adapted from Ryan Moore.

Computer Storage Devices Principles of Information Technology Lytle High School Click to continue.

Source XP vs Windows 7 XPWin 7.

I have lost all my vacation pictures due to memory card corruption. Can I get them back? I have accidently deleted some important Photos, Music files.

Standard Grade Computing STORAGE DEVICES CHAPTER 18 COMPUTER STUDIES Standard Grade.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Capturing Computer Evidence Extracting Information.

Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.

Chapter 5: System Software: Operating Systems and Utility Programs.

 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.

Configuring the MagicInfo Pro Display

Tutorial 11 Installing, Updating, and Configuring Software

1 Project Planner Michael Adcock & KFTF Research Team Lab Meeting 12/13/06.

Advanced Lesson 4: Advanced Collaboration To prevent users from inserting, deleting, and renaming worksheets, protect the workbook. When you protect a.

Introduction to MS Office Computer Essentials PowerPoint.

XP. The Start menu New streamlined design No more “My” Recently programs now sport Jump Lists All Programs menu slides in and out of existing space Search.

Disk Fragmentation 1. Contents What is Disk Fragmentation Solution For Disk Fragmentation Key features of NTFS Comparing Between NTFS and FAT 2.

File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.

Chapter 17 Creating a Database.

1 Computer Maintenance Upgrading Your PC: Flash Memory and Gathering User Information Copyright © Texas Education Agency, All rights reserved.

Lesson 3 Data Storage. Objectives Define data storage Identify the difference between short-term and long-term data storage Understand cloud storage and.

Memory The CPU in the computer fetches data and instructions from memory to process. This type of memory is called primary memory and it is the only memory.

Mountain Heights Financial Assistance Software User Guide.

Configuring Data Protection Chapter 12 powered by dj.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

What to do with the Bits? Triage, First Aid, Clean Room Patricia Galloway School of Information University of Texas at Austin.

Practical PC, 7 th Edition Chapter 4: File Basics.

Ch 17 Securing the File System. Three Ways to Protect Files NTFS Permissions Encrypting File Service BitLocker full-disk encryption – BitLocker ToGo.

Saving a Document in Microsoft Word (Versions prior to 2007) Educational Support Services Copy & Design: Verna Fisher.

Training on Basic Software Hardware Installation

Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.

IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.

Securing and Sharing Workbooks Lesson 11. The Review Tab Microsoft Excel provides several layers of security and protection that enable you to control.

1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.

Understand Permissions LESSON Security Fundamentals.

Windows and Mac OSX.  Formatting a disk prepares it to accept data  NTFS on Windows  HFS+ on the Mac  There are lots of different formatting options.

Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.

How to Save Files to a Flash Drive Cristina Eichler.

Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 14 – Windows Security.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

Refined Online Citation Matching and Adaptive Canonical Metadata Construction CSE 598B Course Project Report Huajing Li.

1 Chapter Overview Understanding Shared Folders Planning, Sharing, and Connecting to Shared Folders Combining Shared Folder Permissions and NTFS Permissions.

Stellar Phoenix Photo Recovery Recover Photos, Audio & Videos.

By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.

Print Out Text Messages from Android Phone Mac/Win

How to save files using SSU Apps Anywhere

Database Database is a large collection of related data that can be stored, generally describes activities of an organization. An organised collection.

BASICS 1 Windows XP.

CREATING AND USING FILE FOLDERS

Upgrading Your PC: Flash Memory and Gathering User Information

Lesson 3 Data Storage.

Thursday April 19, 2018 (Discussion – Storing and Retrieving Data, Processing the Electronic Crime Scene)

More to Learn Viewing file details

FAT File System.

Presentation transcript:

MAC Times Modification (mtime) When the file contents were CHANGED Change = addition or deletion or change of any single BYTE/Character… even if it doesn’t change to meaning of a file For example: adding a single extra space to a term paper, it still reads the same, however has been altered Access(atime) The time the file was last “touched”, even if not changed Creation(ctime) The timestamp of a file’s creation on a “volume” (disk)

Timestamps Operating system dependent Ex: Windows bases a timestamp on elapsed time since Jan 01, 1601Midnight Time elapsed in nanoseconds (billionths of a second) MACs timestamps require a different “algorithm” (formula) for conversion to calendar date/time

Granularity Refers to the “precision” of our time how small a window of time (day/hour/minute/second) Dependent on Operating System Dependent on File System Windows XP Can use NTFS file system to record files on the disk Can us FAT32 to record files on the disk FAT32 typically used for removable media, such as USB or Flash Cards (such as in cameras) Forensic software (or the analyst) needs to know the systems involved in order to interpret the time properly Atime can be precise to the *date*, but perhaps not a time of day Ctime can note the actual time and date down to 2/100’s of a second (depending on Operating System)

Discrepancies File’s ctime occurs *after* the atime or mtime Possible if: Somebody played with the timestamps The file was moved/copied to another “volume” (disk) It’s “created” on that new disk at that date/time, but OS and File System might retain the original atime and mtime Windows Vista Default indicates that the update of the atime is turned off by default Not necessarily intentional on the part of the user to hide the time details!

Discrepancies Examination of the contents of a file might indicate that the file was not created or modified when the timestamp claims it was Content of the document list a date or time indicating a creation prior to the “external” time Might indicate an effort to hide or “forge” the time of a file Is the date or time inside the file itself a result of the user’s effort (he or she typed it), or did the software package being used insert it? Remember: Timestamps are based on the computer’s system time If the system time if “off”, the file timestamps will also be “off” in relation to real time Do timezone differences come into play? Do we need to consider Daylight Savings Time? Not for the CSI Challenge!!!

CSI Challenge The assumption is that any obvious time discrepancy is an effort on the part of a investigation’s subject to hide or obfuscate details NOTE: You will receive a note in your packet (along with the investigator’s CD) which outlines how you should view times in terms of evaluating your investigation For example, you might be directed to specifically ignore certain timestamps only Do not ignore, unless specifically directed to do so!!!