03 Timestamps Demo

Topic Progress:

We know that the BMP files, fileA and fileD, are the same, but that the JPEG files, fileB and fileC, are different somehow. So how can we find out what went on with these files?

78 68 103 103 78 106 85 103 78 122 107 103 77 106 65 103 78 68 81 103 78 106 85 103 78 106 69 103 78 109 77 103 78 106 85 103 78 122 73 103 77 122 73 103 77 122 65 103 77 122 69 103 77 109 77 103 77 71 81 103 77 71 69 103 78 68 107 103 77 106 65 103 78 122 99 103 78 106 69 103 78 122 77 103 77 106 65 103 78 122 81 103 78 106 103 103 78 106 107 103 78 109 85 103 78 109 73 103 78 106 107 103 78 109 85 103 78 106 99 103 77 109 77 103 77 106 65 103 78 106 103 103 78 109 89 103 78 122 99 103 77 106 65 103 78 109 81 103 78 122 85 103 78 106 77 103 78 106 103 103 77 106 65 103 78 106 85 103 78 122 103 103 78 106 69 103 78 106 77 103 78 122 81 103 78 109 77 103 78 122 107 103 77 106 65 103 78 106 69 103 78 122 73 103 78 106 85 103 77 106 65 103 78 122 99 103 78 106 85 103 77 106 65 103 78 106 99 103 78 106 85 103 78 122 81 103 78 122 81 103 78 106 107 103 78 109 85 103 78 106 99 103 77 106 65 103 78 106 89 103 78 109 89 103 78 122 73 103 77 106 65 103 78 122 81 103 78 106 103 103 78 106 85 103 77 106 65 103 78 122 81

FileA

FileB

FileB

FileC

FileC

FileD

FileD

By using time stamp information from the file system, we can learn that the BMP fileD was the original file, with fileA being a copy of the original. Afterward, fileB was created by modifying fileB, and fileC was created by modifying fileA in a different way.

Follow along as we demonstrate.

We’ll start by analyzing images in AccessData FTK Imager, where there’s a Properties window that shows you some information about the file or folder you’ve selected.

Timestamps Demo Pic 1

Obtain timestamps for files.

Timestamps Demo Pic 2

You can find various timestamps for the file you’re examining here.

Timestamps Demo Pic 3

Identify timestamp patterns.

Here are the extracted MAC times for fileA, fileB, fileC and fileD.

Timestamps Demo Pic 4

Note, AccessData FTK Imager assumes that the file times on the drive are in UTC (Universal Coordinated Time). I subtracted four hours, since the USB was set up in Eastern Standard Time. This isn’t necessary, but it helps me understand the times a bit better.

Highlight timestamps that are the same.

If timestamps are off by a few seconds, they should be counted as the same. This lets you see a clear difference between different timestamps.

Highlight oldest to newest to help put them in order.

Timestamps Demo Pic 5

Timestamps Demo Pic 6

Timestamps Demo Pic 7

Timestamps Demo Pic 8

Timestamps Demo Pic 9

Timestamps Demo Pic 10

Timestamps Demo Pic 11

Timestamps Demo Pic 12

Timestamps Demo Pic 13

Timestamps Demo Pic 14

Identify timestamp patterns.

Timestamps Demo Pic 15