As a special feature of our blog—special guest postings by experts, clients, and other professionals—please enjoy this blog entry from Jonathan Karchmer, a senior managing consultant at iDiscovery Solutions with experience in managing projects dealing with computer forensic examination and experience advising counsel regarding intellectual property and trade secret theft.
It was a matter of hours. A simple thing really. Was an email sent at 10:00 a.m. or at 2:00 p.m.? An entire case hung in the balance; if the email was sent at 10:00 a.m., the custodian had prior knowledge, if at 2:00 p.m., then not. Unfortunately, the email had been extracted and produced on multiple occasions during the litigation, each showing a different time. iDS was called in to do two things: First, determine the correct time the email was sent, and second, explain to the court how the time could have been incorrectly reported so often without nefarious intent.
This type of analysis is common, and iDS is frequently called upon to examine computer media and authenticate electronic documents. Many projects deal with determining precisely when a document was first created or last altered. Apart from just looking at the documents in question—which contain an abundance of data themselves—we often find ourselves examining computer systems to determine whether the system date or time has been changed.
Changing the date and/or time on your computer is easy and when done on a Windows system, the change is instant and transparent to the user. What happens behind the scenes is less obvious, however. There are easily half a dozen or more artifacts we examine that will tell us when the date/time on a Windows system may have been manipulated—I’ll discuss a few of them here:
1. Event Logs
The Windows operating system records and logs significant system events and other notifications, storing this information in Event Logs or .evtx files. A feature of these files is that within each entry, the current system date/time is recorded along with a record number that increments by one for each new log entry. Regardless of what the system date/time is set to, if the latest event’s record number is currently “x,” the next record number will always be x+1. Because of this, system/date time changes are clearly obvious to examiners—we need only look for instances where the current number does not agree with the succession of numbers. Additionally, Windows also considers a date/time change to be a significant event, meaning if the date/time is changed, it is recorded as its own event. Unfortunately, event logs do not hang around forever, so we also look elsewhere to be thorough.
2. USNJrnl Entries
Windows system hard drives have a transactional journal which records events surrounding file creation, renaming, changing, and deletion (to name a few). USNJrnl entries also include an updated sequence number (or USN), where newer transactions have greater USN values. The date/time is also recorded in USNJrnl entries. This combination gives examiners another potential investigative tool—when USN values fall out of sync with the recorded date/time, clock manipulation likely occurred. While USNJrnl entries are also transitory, they can be found in many places on the hard drive, including volume shadows and in empty disk space. This makes them valuable in terms of their ability to tell a story about what has happened on a hard drive and to the host operating system, including date and time changes.
3. Time Stomping
Software tools exist that let users change the dates associated with documents. Timestomp and others like it can change the dates/times associated with files that users see in Windows Explorer. This can be an effective means of fooling a casual user, but the Windows system stores more data for each file and folder than what’s displayed by Explorer. Dates that are visible in Explorer come from a file system element called the Standard Information Attribute (SIA). Behind the scenes, another set of attributes called the Filename Attributes (FNA) also record dates/times. While the SIA can be manipulated, the FNA cannot. Comparisons can be made between the two to highlight to the examiner any instances where dates/times were likely changed on files themselves.
Tools like Timestomp leave their own signature (e.g. anomalies in metadata)—but that type of analysis will be discussed in another blog post. As far as the email we started with? It was sent at 2:00 p.m., so no prior knowledge. Once that was cleared up, the case settled within 24 hours. In many instances, dates and times are critical to litigation, so if there is any doubt, or if dates and times shown don’t appear to make sense, it might help to have an expert take a look.