Each disk format, / operating system (ISO9660, FAT32, NTFS etc) has it’s own way of storing file dates. This technical note describes some of the variations.
A date is a mixture of two variables, a starting point, and a count of intervals since that point. In day to day terms we count a date as starting from year 0 (or was it year 1?) to the current date of year 2005, we then divide years into months and days. We then typically divide days into hours and minutes and call that the time. You will see from the details below, that computers store the date/time value in a variety of ways which is either retaining the concept of year month day, or counting in seconds, or 100ns intervals since a certain date. The first can be relatively easy to understand looking at the raw data, the second requires a good calculator.
The other variation on file dates is what type of event is retained. The typical attributes to a file are
- Creation time
- Modification time
- Access time
Normally you would expect the dates to be in the above order, so that the earliest date is creation, and the latest is access date, although all three days could be the same. However, if a file is moved for instance between two hard disks, the creation date on the new hard disk will be the date on moving it, while the modified date could be much older.
FAT12, FAT16, FAT32 dates
DOS dates are stored as bit shifted numbers for year, month, day for date, and hour, minute and seconds (actually every 2 seconds) for time. The base for the year is 1980.
ISO9660 dates are stored as a sting of binary numbers starting with years since 1900 with a resolution of 1 second. There is a time zone flag for time zones of 15 minutes East or West of GMT.
UDF dates are stored as a string of binary numbers for each element of the date, ie 2 bytes for the year, followed by one byte for the month, 1 byte for the day etc. The finest resolution is micro seconds Also included as a flag for the time zone
These dates are stored on a hard drive as an 8 byte (64 bit) number, representing 100ns intervals since the year 1601.
Why are dates important?
One of the most useful benefits of restoring dates correctly is that multiple files often exist, and the dates can indicate which is the most current one. For forensic investigation dates can point to files being modified or viewed at certain times. At times it could be viewed as suspicious if accounts were modified long after the financial year end. It can also indicate that a computer was being used at a certain time. However, it must also be noted that the dates recorded on a disk file are only as accurate as the PC clock, and how it was set, and occasionally users modify the computer date to try and overcome protection on time limited software.
CnW recovery files by using specially developed software, rather than by using a native operating system. One significant advantage of this is that dates on the media being read, are never changed. A log can be produced with file access dates being exactly as on the original system. It is very difficult to examine date on a computer, such as Windows XP, without setting the access date to the current date and time. The CnW ecovery procedure overcomes this potential problem, as well as logging the creation date and modified date and times.
CnW Lewes East Sussex UK