Tests designed to be scored by computer would allow for more comprehensive tests, but would also need to be specially adapted to each tool being tested. A maximum limit around 100 test points seems reasonable. The number of test points in each case must not be so large as to overwhelm the tester. Tests will be performed mainly by humans, not by computers.Requirementsīefore any serious testing is done, some kind of baseline requirements need to be established. In this case, however, the span of time is restricted to years less than or equal to 30827. The reverse function, SystemTimeToFileTime(), performs the opposite conversion: translating a time expressed as the year, month, day, hours, minutes, seconds, etc into the 64-bit file time stamp. Additionally, the two timestamp values 0x0 and 0xffffffffffffffff are reserved to modify the operation of the system call in different ways. These system calls have a similar limitation in that only timestamps less than or equal to 0x7fffffffffffffff will be set. On Vista and later, the system call SetFileInformationByHandle() can be used on earlier versions of Windows, NtSetInfomationFile() may be used. It is, though, also possible to set file time stamps to arbitrary values. This corresponds to the time 3 02:48:05.4775807.įile timestamps are usually determined by the system clock at the time some file activity was performed. The documentation of FileTimeToSystemTime(), as well as practical tests, indicate that the FILETIME value to be translated must be 0x7FFFFFFFFFFFFFFF or less. Perl or Java) other methods for translation is be required.
#G PRODISCOVER BASIC 8 SOFTWARE#
Unix), or in software that is intentionally platform-independent ( e.g.
#G PRODISCOVER BASIC 8 WINDOWS#
NTFS file timestamps, according to the documentation of the ‘FILETIME’ data structure in the Windows Software Development Toolkit, is a “64-bit value representing the number of 100-nanosecond intervals since Janu(UTC)”.Ĭonversion from this internal format to a format more suitable for human interpretation is performed by the Windows system call FileTimeToSystemTime(), which extracts the year, month, day, hour, minutes, seconds and milliseconds from the timestamp data. Similar tests need to be created and performed for other timestamp formats.Īlso, I am ignoring time zone adjustments and daylight savings time: the translation to be examined will cover Universal Coordinated Time (UTC) only. NTFS is probably the most common source of timestamps that an analyst will have to deal with, so it is important to ensure that timestamp translation is correct.
I will also some present some test results from applying the tests to different tools.įor the moment, I am concerned only with NTFS file timestamps. My primary purpose this article is to present a simple design of test data suitable for determining if there are errors or problems in how a particular tool performs these operations.
If there are any errors in this step, the result will clearly be less reliable than expected. As these timestamps usually are stored in some internal format, additional software is needed to interpret them and translate them into a format an analyst can easily understand. File and directory timestamps are one of the resources forensic analysts use for determining when something happened, or in what particular order a sequence of events took place.