As
a Digital Forensic Investigator, you might understand, how important it is to
preserve timestamps of any evidence gathered at the scene of a crime. You will
be on your toes to make sure that the timestamps of the original evidence are
never altered at the time of acquisition. This is important as you have to
maintain the chain of custody of the evidence.
Table of Contents
·
Introduction to Timestamp
·
Preserving Timestamp using command-prompt
·
Preserving Timestamp using ForensiCopy
·
Preserving Timestamp using OSForensics
·
Preserving Timestamp using Copy Files with Dates
·
Preserving Timestamp using SafeCopy free version
·
Preserving Timestamp using TeraCopy
·
Preserving Timestamp in Linux using Terminal
Some of the popular file systems like
FAT, NTFS, and EXT store file timestamps in the following manner
Let us take a scenario where you have
been investigating a case and suddenly you have the opportunity to gather
evidence files or folder from a system which you had been wanting to seize for
a very long time, but now you don’t have your paid and expensive tools with
you. If you use the traditional copy and paste method, you will be changing the
timestamps of the documents
If we want to avoid these problems in
our forensic investigation, we are going to learn to use a few simple forensic
techniques and open-source software where you will be able to copy folder or
files from one location to the other without changing the timestamps, hence
preserving the timestamp.
Preserving Timestamp using
command-prompt
This is one of the manual and
simplest technique which does require any fancy, expensive, or automated
software to transfer files from one location to the other in a windows system
with just using a command in the command prompt. The Robocopy command stands
for ‘Robust File Copy’, which was introduced in Windows NT and has been popular
ever since to copy files from one location to another robustly. You can type;
Robocopy D:\ E:\
After the copying is completed, you
can manually see that has been no difference in the date time stamp in the copy
of the file.
Preserving Timestamp using ForensiCopy
ForensiCopy
is an automated evidence copying software that is quite different from
imaging. It can be downloaded from here.
This tool copies the file from one location to the other without changing the
timestamps. All you have to do is, add the path of the file, the destination of
the file to copy and click on start. On completion, it will generate a log
file.
Once the copy is over, you can
compare the source and destination properties of the files and you will see
that the time was not changed.
Preserving Timestamp using OSForensics
OSForensics
has always been a legendary tool in forensics investigation and provides the
option to make a ‘Forensic Copy’. You can download it from here.
Here in this software, it is called
as Forensics Imaging by creating a Logical Image. In Logical Image, only a
portion of a drive is copied bit by bit and keeps the timestamp of the file/folder
intact. Add the source and destination path of the folder and click on start.
Here, you can see that the source and
destination path have not changed and are intact.
Preserving Timestamp using Copy Files with Dates
This
again is a crucial software when it comes to preserving the date and timestamps
of any files in the Windows file system. You can download it from here.
All you have to do is put a source file and the destination file and click on
start.
A log file will be generated which
can be opened in the command prompt using
type name_of_log.txt
Preserving Timestamp using SafeCopy free version
It is a software which can be used to
perform forensics as well as anti-forensics. You can download it from here.
Add the source and the destination path and keep the same date and time of the
file to preserve it and then click on copy.
You
will see below, that the timestamps for these files that have been copied to a
new destination are intact.
Preserving Timestamp using TeraCopy
It
is a quite simple tool and barely any consumes very little time to copy the
files to the destination without changing the original documents date and time.
You can download it from here.
Preserving Timestamp in Linux using Terminal
So
here you can switch on your linux machines and open your terminal as root. Go
to the directory of the source of the file to be copied and type
ls -al
To
copy file without changing time stamp, use command;
cp -p 18.png /home/jeenali/Desktop/Ignite
You
can see that it has been copied to a new destination without the timestamp
changing, to see the file information at new path, type;
ls -al
Conclusion:
Hence, here in this article you have learnt about various methods and tools to
copy files from one location to the other without changing the timestamp.
0 comments:
Post a Comment