Answer the question
In order to leave comments, you need to log in
How to prove the last modified time of a file?
Hi hubr! Various people periodically turn to me, and sometimes with such things that they even somehow feel uncomfortable. For example, yesterday a friend asked for an expert opinion on the last date the file was modified.
Of course, I made an expert opinion :) Stitched - numbered, all in seals - courts like this approach. But while I was preparing this conclusion, I was at a dead end - but how can I really prove it?
Any file has at least 3 dates - the time the file was created, the time it was last modified, and the time it was last accessed. These dates cannot stand any criticism - using a regular touch, you can instantly change the date of a file even to one from the distant future.
I opened the HEX file with an editor, in different files in different ways, but as a rule there is a record at least about the date the file was created. But in this case, you can change this entry, although it's a little more complicated than with touch :)
There are, of course, logs, but the logs are the same files, having access to the system, you can do anything.
In general, now I think that, in theory, there is no way to prove the time the file was modified, if it is not a special crypto format or something like that. Today, even along the way, I came up with the idea - to add a label to the file, which would have the same functions as approximately the half-life of carbon. That is, when created, a label is created with a value of 100, which decreases or increases, in general, it does not matter.
In general, the essence of the question is how to prove the time of the last modification of a file, and so that a reasonable It-shnik accepts the evidence? Thank you!
Answer the question
In order to leave comments, you need to log in
It seems to me that this is something from the category of unsolvable problems. How, for example, to prove that the given file is "original" and not "copy"? :-)
File attributes are the domain of the file system. This time.
Second - Almost all DLP systems are able to monitor FS objects and keep a history of the states of these objects. If DLP is certified, you have proof based on the change log of the object. The same goes for the issue of file copies. First copy = original. The countdown of versions began with it - the rest = copies.
But I want to note that all this happens without interruption from the FS. Without a file system, the file itself is information that, purely logically, does not have any attributes (age, color, theme, purpose, owner, etc.), these attributes appear only within something. Therefore, "location on the ground" is required.
Any timestamp rests on the reliability of the clock on which it is made. How to determine that the system clock has not been translated?
I will personally only accept evidence from a third independent party - an email or archive attachment.
If you dream up, then a certain sector is magnetized during recording, over time it naturally demagnetizes a little, somehow measure the current sector magnetization and estimate how much time has passed since the recording.
Matches the version of the file stored on an external uninterested and trusted source.
For example, an attachment to a letter on a gmail with a note about the date it was received by the server.
Well, if daily logs with a list of files and their data are written to dvd-r, I think this can be considered a good proof. Only if it is known that no one knew in advance which particular file and when the investigation would be of interest, and did not change its date specifically for the logs or in the logs themselves.
A journaled file system, each journal element is signed by the user's digital signature. So you can exclude the falsification of time by third parties. In order to exclude time forgery by the user himself, send the hash of the file to the server, which will certify the modification of the file with its signature: “System ID such and such, file such and such, hash of changes (or hashes of the file before / after) such and such, date, time , digital signature".
Without the involvement of a third party and the use of physical methods (radioactive tags, self-demagnetizing HDDs ...) - I'm afraid that there is no way.
In hindsight, according to already existing files - definitely nothing.
By and large, it depends on the type of file and the environment in which it was found. Somewhere you can find additional metadata, somewhere - links, roughly confirming that the file was created in a certain program for some period of time. You should also not forget about temporary and deleted files (this is especially true for various documentary formats).
In the NTFS file system, temporary file attributes are contained in a file entry for each file in the master file table (MFT). And oddly enough, the file has exactly 8 of them!, and not 3 as we are used to. Two structures $STANDARD_INFORMATION and $FILE_NAME are responsible for temporary attributes, each of which contains: the date and time the file was created, the file was last modified, the file was last accessed, and the date and time the information in the file record was last modified. The correct evaluation of temporary attributes from the $STANDARD_INFORMATION and $FILE_NAME structures makes it possible to correctly restore the chronology of events and understand when and how the parameters changed
https://xakep.ru/2013/02/22/60167/
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question