Quote::
Did you read the book File System Forensic Analysis by Brian Carrier?
I think, This book contains answers to your questions.
Igor_Michailov thank you for your replay. As soon as I saw your post I was like duh. It has been a couple of semesters since I read it, I can't believe I forgot about that book. Thanks again for your replay.
Terry thank you so much for your feed back. It is one-hundred percent my fault do to the wording of my post and not understand fully what I wanted to ask before I posted it.
Quote::
The hell you don't. You have a computer, yes? Do you have a thumbdrive? Format it as FAT. Do the various actions you are asking about, and see what happens. -Terry
I have done this exercise before in the beginning of my college career but at the time I really didn't understand the importance of that activity. Now that I am in a class doing nothing but report writing and cases re-doing this exercise will mean a lot more to me since there is a more practical element instead of talking about it abstractly in a class room. I really don't know why I didn't think of this before I posted this but thank you for mentioning it.
Quote::
I know I could just test them all but I don't have the resource to do so. -Me
I would like to clarify this statement. What I was thinking was the different O.S and their effect on timestamps. If I am running the same file system on different operating systems will that have an effect on the timestamp behavior. Does operating system have an effect on how the file system creates timestamps?
Quote::
What do you do? You can't come running to the forensic community every time. Then what is the point of you? No, you have to research and test. YOU are the one that discovers new things. YOU are the one that expands our field of knowledge.
Think about it. Sure, you can just sit back, and let someone tell you the answer to these questions. -Terry
I'm sorry If my post sounded like I was asking for an answer. I really didn't want it to sound that way. I was looking for resources such as whitepapers and books so I can better understand what is out there and more importantly I was looking for ideas and perspectives. like this,
Quote::
But, what if you do the test, and what if you see something that no one has seen before? You are missing the chance to not only learn the most valuable skill in our field (research), but you could be robbing the digital forensics community from a potentially valuable new find. Sure, to you it might be something interesting, but down the road it could mean everything to a case. -Terry
I can't thank you enough for this. I love it when people give their perspective especially when them perspective get me thinking. I have learned a lot from this paragraph and a new way of looking at forensics.
Quote::
Some, perhaps many of the questions you ask have been answered in a paper by Chow et al.: The Rules of Time on NTFS File System, presented at SADFE 2007, 2nd Intl. Workshop on Systematic Approaches to Digital Forensic Engineering, 2007, and published in the proceedings from that workshop. You can find the paper on line if you google for the title -athulin
Thank you Athulin for the suggesting them but sadly I have not gotten the chances to look at them yet and After I post this I am going to print them out and give them a read. I'm sure they are filled with tons of information and I can't wait to read them. I also thank you for your other comments and I will try to learn and take as much as i can from them.
Quote::
Also, and NOT what you asked Shocked , since you made an example with a word document, do check this:
www.forensicfocus.com/...c/t=10627/
-jaclaz
It is not what I asked but I love learning about as much as I can. I had the change to look at the first link and I thank you. This information is very useful, I can't wait to check out the second one.
Quote::
Testing is always the required element if the date and time stamp is important to an examination. This, however, is a great reference to keeps available:
digital-forensics.sans...properties
-Al
This is very useful thank you.
I want to thank everyone for taking their time out to respond to my question. It is greatly appreciated and I will definitely pay it forward.
↧
