- Correlate events from different sources.
- Identify the factors leading to the timestamps changes.
Correlating events from different sources.
Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.
Identify the factors leading to the timestamps changes.
There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.
The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.
- Value Name: NtfsDisableLastAccessUpdate
- Data Type: REG_DWORD (DWORD Value)
- Value Data: set 1 to prevent the Last Access time stamp updates.
Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.