10.6 File System Traces

10.6 File System Traces

An individual's actions on a computer leave many traces that digital investigators can use to glean what occurred on the system. For instance, when a file is downloaded from the Internet, the date-time stamps of this file represent when the file was placed on the computer. If this file is subsequently accessed, moved, or modified, the date-time stamps may be altered to reflect these actions. Understanding how date-time stamps of files are updated under different circumstances can enable digital investigators to infer the associated actions. A summary of common actions and the associated date-time stamp changes on FAT and NTFS file systems is provided in Table 10.2.

Because moving a file within a volume does not change file times, the original (deleted) directory entry for the file is identical to the new directory entry, enabling forensic examiners to determine where files were moved from as long as the original directory entry exists. Also evident from Table 10.2, when a file is copied within a volume or moved from a hard drive to external media like a floppy diskette, the created and last accessed date-time stamps of the new file are updated but the last modified date-time stamp remains the same, resulting in a last modified time prior to the creation time. When digital evidence examiners encounter this counterintuitive situation for the first time, they sometimes assume that concealment behavior is at work such as system clock changes.

When a file with these counterintuitive date-time stamps is found, indicating that it was copied from somewhere else, it may be possible to locate the original file by searching all available storage media for files with the same MD5 hash value, the same creation time, and/or the same name. However, this date-time stamp phenomenon also occurs when a file is downloaded from certain types of file servers on the Internet. For instance, when a file is copied from a network shared on a remote Windows system, the "creation" date-time stamp is updated to the local system time but the last written date-time stamp is not. The same thing occurs when a file is downloaded from a remote UNIX machine using the file transfer feature of Secure Shell (SSH). Notably, this does not apply to all servers (e.g. FTP). So, if the file was downloaded from a file server on the Internet, it may not be feasible to find the original file but it may still explain the counterintuitive date-time stamps. Finding the original file is useful for addressing the argument that someone on the Internet uploaded the file to the defendant's computer without his knowledge via NetBIOS.^[25] Although this is a weak argument unless there is evidence to support unauthorized access, it is useful to have evidence that the defendant had knowledge of the files on the system. For more detailed discussion of examining moved and copied files, see the Handbook of Computer Crime Investigation, Chapter 7, pp. 140–142 (Sheldon 2002).

Notably, the last accessed and modified date-time stamps of the parent directory listing (".") are updated when files are moved out of and copied into the directory because the entries in the associated directory files are being added to and deleted. Similarly, when a file is deleted from a directory, the last modified and accessed date-time stamps of the parent directory listing are updated.

Microsoft Office documents retain quite a bit of information called metadata, including the location where a file was stored on disk, the printer, and the original creation date and time. These metadata can be useful for locating file fragments that were generated while documents were being edited. Additionally, the date-time stamps embedded in the file can be useful for temporal analysis. Printing also creates useful artifacts on Windows file systems. Rather than sending data directly to the printer, computer systems can store print jobs on disk temporarily and send them to the printer as it becomes available. In this way, the application being used to print is not tied up while the job is printing. Windows 95/98 stores information relating to printed files in C:\Windows\Spool\Printers and Windows NT/2000 stores them in C:\WinNT\System32\Spool\Printers. These files can contain the name (or URL) of the printed file, application used to print, printer name, file owner, and even the raw data of the print job in. Also, since these files are created when the associated item is printed, the date-time stamps on these files indicate when it was printed. When printing in EMF mode, the associated spool file (0020.SPL) contains names of temporary files that were created during the printing process as shown here:

    Microsoft Word-    Document2.LPT1:.STP........... FTM.%.....C:\WINDOWS\TEMP\~EMF115D.TMP.ENP.    .........STP\    ..............FTM.%.......C:\WINDOWS\TEMP\~EMF1639.TMP.ENP......STP.........FTM.%.\    ..C:\WINDOWS\TEMP\~EMF1646.TMP.ENP.....STP............FTM.%...    C:\WINDOWS\TEMP\~\    EMF164D.TMP.ENP......STP........FTM.%...C:\WINDOWS\TEMP\~EMF1742.TMP.ENP...\    .STP...........FTM.%...C:\WINDOWS\TEMP\~EMF1749.TMP.ENP....STP..............FT\    M.%... C:\WINDOWS\TEMP\~EMF1410.TMP.ENP..STP.....FTM.% ... C:\WINDOWS\TE\    MP\~EMF1407.TMP.ENP................END 

These temporary enhanced metafiles essentially contain an image of segments of the printed document. Some of these EMF files may have been overwritten but those that still exist on disk can be opened with a suitable viewer to see what was printed. These copies can be useful if the original file is modified, encrypted, or non-existent, as in above example "Document2" was never saved.

A detailed case example is provided here to demonstrate how some of the many traces created by activities on Windows systems can be useful in an investigation. The floppy disk referenced in the File System section is used in the following case example:

CASE EXAMPLE

A company called "BioTechX" believes that an ex-employee, Henry Hunter, stole proprietary information and is using it to acquire their best customers by selling the same product for less money. In addition to stealing thousands of tablets of their primary product "BioFixIt," the company believes that Hunter stole test results relating to BioFixIt and is sending their best customers letters offering the same product at a reduced price. Hunter claims that he did not steal any information and that he is selling a product named "Getafix" created by his new company, BioFix, to individuals he met at conferences and trade shows.

An examination of the Windows 95 computer Hunter used when he worked at BioTechX has the following traces from the day he left the organization (May 12, 2003), indicating that he accessed three files containing BioFixIt test data.

    Name                                      File Created    C:\WINDOWS\Recent\s072602.txt.lnk         05/12/03 11:36:38AM    C:\WINDOWS\Recent\s062602.txt.lnk         05/12/03 11:27:32AM    C:\WINDOWS\Recent\s052302.txt.lnk         05/12/03 11:25:08AM 

File system traces from May 8 indicate that Hunter accessed the company customer list and created and printed letters to customers. Although this activity was part of his job, it demonstrated that Hunter had access to customer names and addresses. During the examination, it was noted that this computer had Ethernet address 00-60-97-ED-DC-2E and its system clock was 11 minutes fast.

With this evidence of probable cause, investigators obtained a search warrant to search Hunter's home computer and associated media. Of greatest interest was the floppy diskette containing the following (deleted entries marked with a "*"):

    Name                       File Created              Last Written    newaddress.txt             05/13/03 12:42:16PM       05/13/03 12:42:18PM    todo.txt                   05/13/03 12:37:54PM       05/13/03 12:40:48PM    skiways-getafix.doc        05/13/03 12:32:00PM       05/13/03 11:58:10AM    contacts.xls               05/08/03 02:43:14PM       02/18/01 12:49:16PM    *greenfield.do             05/08/03 02:43:00PM       05/08/03 02:34:16PM    *april                     05/08/03 02:41:44PM       05/08/03 02:41:44PM 

Notably, the MD5 value and date-time stamps of contacts.xls indicate that it was copied from the BioTechX computer that Hunter used. Hunter claimed that he had not realized "contacts.xls" was on the floppy and denied using the information it contained after he left BioTechX. However, a copy of this file was found on his computer in a directory named "sales" with date-time stamps showing that it had been created on May 13, 2003.

A closer examination of the floppy disk uncovered remnants of the allegedly stolen BioFixIt test data. However, it was not immediately apparent when the test data were placed on the floppy disk and Hunter claimed that they were there since 2002 when they were originally given to him. Looking at disk clusters adjacent to the test data showed the following:

Clusters 42: Partially overwritten Word document fragment from BioTechX computer used by Hunter, created on April 14, 2003.

Cluster 184: Word document "skyways-getafix.doc" from Hunter's home computer, created on May 14, 2003.

The fact that the test data had partially overwritten a Word document created on April 14, 2003, and was partially overwritten by a Word document created on May 14, 2003, strongly suggests that the test data were placed on the floppy diskette between these dates, not in 2002 as Hunter claims.

Be aware that date-time stamps can be affected by external influences. For instance, files extracted from a compressed Zip archive can retain the date-time stamps from the system where they originated. Also, file date-time stamps can be changed to any value using a simple program such as touch.pl.^[26] Therefore, it is important to look for other data on the system or network to corroborate these date-time stamps.

^[25]NetBIOS/SMB, also called Common Internet File System (CIFS), is used by Windows to share resources over networks such as printers and portions of a disk.

^[26]http://patriot.net/~carvdawg/perl.html