This script is designed to identify NTFS files/folders whose timestamps may have been adjusted, possibly to try and divert an examiner's attention from their presence.

The script works by comparing the timestamps stored in the Standard Information Attribute (SIA) to those stored within the File Name Attribute (FNA) - utilities that change timestamps typically only modify the dates/times stored in the former, not the latter.

Note that the script will only read a file or folder's FNA if it's stored in its base MFT record. Also, 4K MFT records are not supported.

The comparison tests for a number of things, each of which is reported as a flag -

'TimeStomp' - TimeStomp is a purpose-built anti-forensics tool capable of manipulating timestamps. One thing that sets it aside from other date/time utilities is the ability to set invalid date/time values for files/folders on NTFS volumes. These values are shown as blanks in EnCase and are therefore quite easy to spot. That said, TimeStomp does not change the timestamps stored in the FNA, so the script is still useful when it comes to reading those. Note that changes in later versions of Windows (i.e. those from Win2K SP4 and WinXP SP2) prevent TimeStomp from setting invalid dates although it can still set valid ones.

'Created' - the difference in the created date/time stored in the SIA compared to that stored in the FNA exceeds the limit specified by the user. The default limit is approximately one year.

'Accessed' - the last-accessed date/time stored in the SIA is earlier than that stored in the FNA. Note that this will identify a large number of innocuous Vista files.

Each flag, whether taken singly or with others, may be an indication that some form of date/time manipulation has taken place. This may not always be malicious. The timestamps of files extracted from an archive will often be updated to reflect their original values.

The examiner can choose the files that he/she wishes to process, and the results can be filtered according to the flags detailed above.

When it comes to checking created and accessed timestamps, the examiner has the option to report only those files that have one or more perfectly rounded SIA-timestamps, i.e., timestamps that have an exact second value. This may be a further indication that timestamps have been altered in some way albeit extracting files from archives that don't support high-precision timestamps will usually have the same effect.

Output is via the console, bookmarks, and a tab-separated-value (CSV) file that can be opened in MS Excel or another compatible spreadsheet/database program.

The integer value of each timestamp will be written to the console and bookmarks. It won't be written to the TSV file.

Bookmarking a large number of files will take some time, so it is optional.

Dates are shown taking into account evidence-file TZ-settings.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training