MFT Date Comparator
This script is designed to identify NTFS files/folders whose date/times may have been adjusted, possibly to try and divert an examiner's attention away from their presence.
It works by comparing the dates/times stored in the Standard Information Attribute (SIA) to those stored within the File Name Attribute (FNA). Utilities that change date/time stamps invariably only modify the dates/times stored in the SIA, not the FNA. Note that the script only read a file or folder's File Name Attribute if it's stored in its base MFT record.
The comparison tests for a number of things, each of which is reported as a flag -
'TimeStomp' - TimeStomp is a purpose-built anti-forensics tool capable of manipulating date/time stamps. One thing that sets it aside from other date/time utilities is the ability to set invalid date/time values for files/folders on NTFS volumes. These values are shown as blanks in EnCase and are therefore quite easy to spot. That said, TimeStomp does not change the date/times stored in the FNA so they can still be read with this script. Changes in later versions of Windows (from SP4 in Win2K and SP2 in WinXP) prevent TimeStomp from setting invalid dates although it can still set valid ones.
'Created' - the difference in the created date/time stored in the SIA compared to that stored in the FNA exceeds the limit specified by the user. The default limit is approximately one year.
'Accessed' - the last-accessed date/time stored in the SIA is earlier than that stored in the FNA. Note that this will apply to a large number of innocuous Vista files.
Each flag, whether taken singly or with another, may be an indication that some form of suspicious date/time modification has taken place. This notwithstanding, the import of such flags does depend on the host operating system as well as the presence of software (such as archiving/compression utilities) that modify date/time information as part of their usual operation.
The examiner can choose the files that he/she wishes to process and the results can be filtered according to the flags detailed above.
Output is via EnCase bookmarks as well as a tab-separated-value (CSV) file that can be opened in MS Excel or another compatible spreadsheet/database program.
Dates are shown taking into account evidence file TZ settings.