If anyone on this site has deep IT skills, please PM me.

I am searching for information concerning the way files are date stamped when they are created and subsequently modified.

Thank you,
Winston

I can answer your questions, but why go PM? lets do it public so everyone can learn!

What operating system are you interested in (they all handle it basically the same, but there are some differences that are important with time stamps between windows and unix/linux and possibly apple (which I know almost nothing about))

if anyone else is interested, here's what I PM'd



well forensically speaking, for the evidence to be considered "admit-able in court" you'd need access to the original systems, granted that might be impossible. The best you are going to come up with otherwise is just good circumstantial evidence.

.txt is a file format that is used across all systems. Time stamps are handled a bit differently for each OS (operating System) but basically it boils down to MAC (modified, access, and change time stamps) though how the disks are formatted, are they using FAT32, NTFS matters as well, but only in mili seconds.

Start here: http://www.forensicswiki.org/wiki/MAC_times#Linux

With Microsoft you will mostly be using NTFS which keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value. (more indepth info here: https://support.microsoft.com/en-us/kb/299648)

Anyway, as I've said a few times, unless you have access to the system that the file came off of, everything is kind of suspect.. BUT that should give you a good start

I can answer your questions, but why go PM? lets do it public so everyone can learn!

What operating system are you interested in (they all handle it basically the same, but there are some differences that are important with time stamps between windows and unix/linux and possibly apple (which I know almost nothing about))

Hey, thanks! When I read this, I thought...I don't know, but I'd like to!

I used/compared date and time stamps on a police dashcam video, my iPhone video, and the police dispatch. The minutes were the same (varied by seconds) and showed the timing of the event. The court was "out of order" once again, and I did not win that portion of my case. As it comes to Light, the evidence will be so clear that no legalese, double speak, or good-ole-boys network can deny it. The Universe KNOWS the Truth. Actually, everyone involved does, but lies held up in the court. That WILL be proved. I rest my case on the Universal Order: Truth is eternal while lies dissolve under scrutiny.

Really, I feel forgiveness toward those who lie, but it MUST STOP! Doing harm to others will not be permitted.

Thanks for the information. I've stored it for future reference.

Lots of love,
Michelle Marie

Keep in mind that file date and timestamps can be modified on most (if not all) operating systems. Often with little or no way to prove tampering. Most people won't know how to do this, so you can rely on them for the most part.

The date on files itself is given by the filesystem that created the file, it is very easy to manipulate and can never be trusted.

The date on files itself is given by the filesystem that created the file, it is very easy to manipulate and can never be trusted.

this is why it's so important to have the original system, I do computer forensics & it's very trustworthy if you have the original system and you follow the proper evidence handling steps (chain of custody is SUPER important in this). It definitely can be done, but with out the original system that created & holds the file in question... well everything from there out is circumstantial evidence (at best).