[unisog] Do Windows file access, file mod, file create timestamps lie?
marchany at vt.edu
marchany at vt.edu
Fri Sep 14 22:14:35 GMT 2007
One of the guys in my group tried to post to the list but got a failure.
Apologies if this is a duplicate. It's a question that's bothering us and
we're trying to see how this impacts us in a forensic investigation.
--------------------------------From Brad Tilley-------------------
In an effort to monitor access to files that might contain sensitive
data, we've been experimenting with Windows timestamps. We have found
that timestamps do not change when the files are viewed, printed or
copied (basic file reads). We wrote some scripts to monitor the
timestamps while various read access was occurring. Below are the
results... perhaps we're way off base here and there is a simple
explanation for this, but if timestamps on Windows are really as
indifferent as they seem to be to reads, we're wondering how or if we
can rely on them. Any input or feedback is welcome... Brad
Please note the win32file.GetFileAttributesEx() function is four hours
(19:00) ahead while the python os.stat() function has the correct
(15:00) time.
---------------------------------------
Created a zero byte text file named 'wup.txt' 09/14/07 15:09:39
(33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
09/14/07 15:09:39 Create
09/14/07 15:09:39 Modify
09/14/07 15:09:39 Access
0 Bytes
(32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
<PyTime:9/14/2007 7:09:39 PM, 0)
09/14/07 19:09:39 win32 Create
09/14/07 19:09:39 win32 Modify
09/14/07 19:09:39 win32 Access
0 Bytes
------------------------------------------
Opened 'wup.txt' in Notepad, viewed it, then closed 09/14/07 15:14:38
(33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
09/14/07 15:09:39 Create
09/14/07 15:09:39 Modify
09/14/07 15:09:39 Access
0 Bytes
(32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
<PyTime:9/14/2007 7:09:39 PM, 0)
09/14/07 19:09:39 win32 Create
09/14/07 19:09:39 win32 Modify
09/14/07 19:09:39 win32 Access
0 Bytes
------------------------------------------
Opened 'wup.txt' in Wordpad, viewed it, then closed 09/14/07 15:17:04
(33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
09/14/07 15:09:39 Create
09/14/07 15:09:39 Modify
09/14/07 15:09:39 Access
0 Bytes
(32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
<PyTime:9/14/2007 7:09:39 PM, 0)
09/14/07 19:09:39 win32 Create
09/14/07 19:09:39 win32 Modify
09/14/07 19:09:39 win32 Access
0 Bytes
------------------------------------------
I printed 'wup.txt' from Wordpad to a printer 09/14/07 15:20:09
(33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
09/14/07 15:09:39 Create
09/14/07 15:09:39 Modify
09/14/07 15:09:39 Access
0 Bytes
(32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
<PyTime:9/14/2007 7:09:39 PM, 0)
09/14/07 19:09:39 win32 Create
09/14/07 19:09:39 win32 Modify
09/14/07 19:09:39 win32 Access
0 Bytes
------------------------------------------
I copied 'wup.txt' to 'Copy of wup.txt' 09/14/07 15:24:07
(33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
09/14/07 15:09:39 Create
09/14/07 15:09:39 Modify
09/14/07 15:09:39 Access
0 Bytes
(32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
<PyTime:9/14/2007 7:09:39 PM, 0)
09/14/07 19:09:39 win32 Create
09/14/07 19:09:39 win32 Modify
09/14/07 19:09:39 win32 Access
0 Bytes
------------------------------------------
I typed 'Brad' into the 'wup.txt' file 09/14/07 15:25:13
(33206, 0L, 2, 1, 0, 0, 4L, 1189797892, 1189797892, 1189796979)
09/14/07 15:09:39 Create
09/14/07 15:24:52 Modify
09/14/07 15:24:52 Access
4 Bytes
(32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:24:52 PM,
<PyTime:9/14/2007 7:24:52 PM, 4)
09/14/07 19:09:39 win32 Create
09/14/07 19:24:52 win32 Modify
09/14/07 19:24:52 win32 Access
4 Bytes
------------------------------------------
Randy Marchany (for Brad Tilley)
VA Tech IT Security Office.
More information about the unisog
mailing list