[unisog] Do Windows file access, file mod, file create timestamps lie?

Ken Connelly Ken.Connelly at uni.edu
Sat Sep 15 00:39:33 GMT 2007 

I'll bite...  And I'm scratching my head, because this is not at all 
what I would expect.  I would think that the access time would be 
modified for each of your actions.  I'm wondering if the 0-byte file 
size has anything to do with what you're seeing here.  I don't know why 
that would make a difference, but it's the only thing I can suggest as a 
possible reason.

-ken

marchany at vt.edu wrote:
> One of the guys in my group tried to post to the list but got a failure. 
> Apologies if this is a duplicate. It's a question that's bothering us and 
> we're trying to see how this impacts us in a forensic investigation.
>
> --------------------------------From Brad Tilley-------------------
>
> In an effort to monitor access to files that might contain sensitive
> data, we've been experimenting with Windows timestamps. We have found
> that timestamps do not change when the files are viewed, printed or
> copied (basic file reads). We wrote some scripts to monitor the
> timestamps while various read access was occurring. Below are the
> results... perhaps we're way off base here and there is a simple
> explanation for this, but if timestamps on Windows are really as
> indifferent as they seem to be to reads, we're wondering how or if we
> can rely on them. Any input or feedback is welcome... Brad
>
> Please note the win32file.GetFileAttributesEx() function is four hours
> (19:00) ahead while the python os.stat() function has the correct
> (15:00) time.
>
> ---------------------------------------
>
>   Created a zero byte text file named 'wup.txt' 09/14/07 15:09:39
>
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
>
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
>
>   ------------------------------------------
>
>   Opened 'wup.txt' in Notepad, viewed it, then closed 09/14/07 15:14:38
>
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
>
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
>
>   ------------------------------------------
>
>   Opened 'wup.txt' in Wordpad, viewed it, then closed 09/14/07 15:17:04
>
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
>
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
>
>   ------------------------------------------
>
>   I printed 'wup.txt' from Wordpad to a printer 09/14/07 15:20:09
>
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
>
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
>
>   ------------------------------------------
>
>   I copied 'wup.txt' to 'Copy of wup.txt' 09/14/07 15:24:07
>
>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:09:39 Modify
>   09/14/07 15:09:39 Access
>   0 Bytes
>
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
> <PyTime:9/14/2007 7:09:39 PM, 0)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:09:39 win32 Modify
>   09/14/07 19:09:39 win32 Access
>   0 Bytes
>
>   ------------------------------------------
>
>   I typed 'Brad' into the 'wup.txt' file 09/14/07 15:25:13
>
>   (33206, 0L, 2, 1, 0, 0, 4L, 1189797892, 1189797892, 1189796979)
>   09/14/07 15:09:39 Create
>   09/14/07 15:24:52 Modify
>   09/14/07 15:24:52 Access
>   4 Bytes
>
>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:24:52 PM,
> <PyTime:9/14/2007 7:24:52 PM, 4)
>   09/14/07 19:09:39 win32 Create
>   09/14/07 19:24:52 win32 Modify
>   09/14/07 19:24:52 win32 Access
>   4 Bytes
>
>   ------------------------------------------
>
> Randy Marchany (for Brad Tilley)
> VA Tech IT Security Office.
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>

More information about the unisog mailing list