How can I prove a file was/wasn't modified given only one copy of the file

I have a question. How is it possible to absolutely verify if a files, creation date, modified date or access date has been artificially modified? There is no MD5 or other check sum from the original file when it was created.

With a program Such as Attribute Magic Pro I can change creation date, modified date or access date. I can also even modify image info such as Camera Make, Model, and more.
???. In my estimation it is virtualy impossible.

Just wondering if any one knew.

Thanks for any info

X

[attachment deleted by admin]

Sure, there are a number of applications designed to alter all sorts of File and OS metadata, and in general, that’s difficult to detect.

However, there are various artifacts in the system that under analysis can yield information to point to the truth. Basically, Windows being Windows, it creates copies of OS metadata in various places, which most (if not all) of the common applications don’t get. These can be compared to reveal that the file’s timestamps have been modified artificially.

There are also ways to check for the accuracy of File metadata as well. These will depend on the specific type of file involved, and the application that created it. Even if metadata tampering alters some of this information, an examination of the file in a hex editor can help reveal truth as well (header info, etc).

Many files (of different types) are actually almost like multiple separate file-pieces all mashed together. The “pieces” when viewed separately, contain a wealth of information (what some might call “hidden” data) about the file’s creation and history.

HTH,

LM

Any good suggestions on where I can find more info on this(books forums ect.). I found some info on meta data for Tracked changes in word but this must have been turned on and can be deleted later by turning off this feature.
I have played with a meta data editor (attribute magic pro) and it makes no changes to the HEX or the md5 of a word or text file or even an exe when I change the attributes.

The info has to be stored else where or as you said the file is actually multiple file mashed together kind of like an ADS (however these only apply to NTFS). How do I get to these files.

I need more info

Thanks for you help already

X

For resources, I would suggest you check out Forensic Focus as a starting point. From there, Harland Carvey and Didier Stevens’ blogs. Carvey has an excellent book out as well.

Accessing the various “pieces” of a file is going to be extremely difficult (not something I can really explain in a forum setting) and commonly involves the use of expensive, specialized software. You can sometimes “see” this by looking at the file as a binary file in Linux, especially where file formats (especially for things like MS Office) are actually compound files (almost like a zip) where things like OLE come into play. These “pieces” are kind of like ADS.

Most of that information is proprietary to the creators of the application that writes the file, and they’re not publicly releasing it. ;( All of these things make up part of a file’s “signature” (not meaning like a hash signature); some things like file headers and footers can be dug up more or less publicly, which can help identify some file info.

As for the time-stamp-specific artifacts, that’s something that requires system analysis, rather than just file analysis, but it will be as it relates to a given file (or files). This has to do with comparing the Standard Information Attribute (SIA) to the File Name Attribute (FNA).

Obviously, the majority of that stuff is dealing with Windows only… :wink:

LM

PS: You mentioned text files; they really don’t have a lot of info to change (or recover).

Actually my problem is that system access may not be possible but without out this access and the with documentation to prove that this is required. I can show that the changing of a date is possible and can not be disproved without a forensic analysis of the machine on which it was created. I will do some playing with examining the binaries of some files using linux and and word files with meta data that has been artificially altered.

THanks
X

I will give you a chance to respond and close the topic in 24 hours

So a file can be changed but not say its changed! Wow…how?

Not sure what you mean by:

problem is that system access may not be possible
??

I can show that the changing of a date is possible
Absolutely. Quite a few apps exist to do just that.
and can not be disproved without a forensic analysis
Yeah, and as I said in the PM, may not be admissible in court, either.
of the machine on which it was created.
May require comparison between more than one machine for modification/properties in order to be thorough and accurate.

You can keep the topic open and ask more questions, or not. I’ll answer what I can (with limitations for complexity, intellectual property or other infringement, etc).

LM

LM and BBAC

You both might find this interesting, although most of it is probably not not new info to you(LM). Its a 53 minute U-Tube video from September 04, 2007
LayerOne 2006 - Paul Henry - Anti-Forensics
Paul Henry is a VP at Secure Computing. In this video he discusses computer forensics and methods people use to circumvent forensic techniques.

Tnx, X, and yes I’ve come across that before.

LM