Timestamps while copying files - Forensic Cheatsheet

## Introduction Creating timelines are necessary while on a case. Timeline is created based on a specific incident or user-activity, but they are also written based on the targeted files creation / modification time. Have you never been questioned on timestamp values while investigation a case? If not, I hope it would be your first chance looking through your own files and think that there are no logically understandable timestamps. This is because there is no error with your timestamps. They looks like an error by a certain event. Since I have never saw a filesystem that has an error with its timestamps unless it was modified intentionally. Today we will go through how timestamps change while copying files. Seems obvious but there are incidences where results go off your predictions. Which is the main purpose writing this article. Mainly experimented case would be the ones below. - Copy between the same Volume - Copy between different filesystem ## Original file before copy - - - > [!Warning] Experiment Environmennt > Basic Filesystem : NTFS > Operating System : Windows 10 A file is initially made for an experiment. name of the file is `Forensic-Cheatsheet.txt` and it is created in `Test` directory under `I:\` volume having 514Byte file size. The main dish would be timestamps for today. So take a look at the initial values. ``` C-Time (Creation Time) : 2023-11-26 14:30:12 M-Time (Modification Time) : 2023-11-26 14:31:39 A-Time (Access Time) : 2023-11-26 14:31:39 ``` ![[Pasted image 20231126143305.jpg]] Now the `Forensic-Cheatsheet.txt` file will be copied into various locations. Let‘s find out how timestamp changes by copying it. ## Copy between same Volume First, we will copy the target file into other paths in the same volume. Take a look at it. The exact time when copy operation was completed is `2023-11-26 14:43:17` ![[Pasted image 20231126144350.png]] ``` C-Time : 2023-11-26 14:43:17 M-Time : 2023-11-26 14:31:39 A-Time : 2023-11-26 14:43:17 ``` Copying file changes the Creation time and the Access time with the time when copy action was conducted. So the copy action creates a new file and adds copied data in the file which is an modification process, so the `C-Time` and `A-Time` is changed. Found anything strange? If you had, you have a very good sense. Its the `M-Time` that makes this file strange. The modified timestamp stays as same with the original file because it was copied from it. But what makes it strange is the logical relation with other timestamps. Logically, Creation time must happen before the Modified time. This is because you will be able to modify a file when there is a file. But when you look at our sample there is and adversary logic that the file was modified before its creation. We call this Time Reversal phenomenon during copy. Without knowing anything about this phenomenon, a investigator would think, “Ah, this file has an error with its timestamp value. I must exclude it from my case report since its not credible”. And this makes a catastrophic result. Time reversal indicates there was a file copy from other directory, which is a important information. The action of copy is identical between every experiments, so going over disk or volume show the identical results from this experiment. ## Copy between different filesystem This time we will copy file to a different volume, consisted of different filesystem which will be FAT. the time of action is `2023-11-26 14:57:45` ![[Pasted image 20231126145904.png]] Looks identical but slightly different. the creation time was modified as in the previous experiment but the access timestamp loses its time value. And take in mind that the time reversal happens identically, so we will not explain it again. We have to make sure that the window UI gives only date while they have full timestamp or the variable that keeps time value only keeps dates. if you look int [[FAT#Directory Entry]], FAT filesystem saves only date for A-Time timestamps on its own. This is the reason why time is not displayed in our A-Time. What can we get from this test is that some time value could be omitted. Similar example would be EXT filesyste that uses 4byte structure that keeps timestamps and when value is copied form FAT or EXT to NTFS or exFAT, specific value of time (nanoseconds) will disappear. This is because filesystem such as NTFS or exFAT uses 8byte structure to save its timestamp. So when operating system changes there will be modification in the timestamp value. Please be aware of these changes. ## Conclusion We learned some changes when we copy files into various paths. One of the points that must be known is that Time Reversal happends and there will be micro errors when filesystem changes. This could be handled small but this could be a great hint giving you a evidence of files being copied which makes it significant. So when you see a logical error in timestamps with files, instead of excluding it from your case try to investigate why such timestamp happens to be a paradox.