HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 31 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow How to find a file time stamps
EH-Net
May 25, 2013, 12:41:06 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: How to find a file time stamps  (Read 1328 times)
0 Members and 1 Guest are viewing this topic.
hurtl0cker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« on: February 03, 2013, 02:14:25 AM »
I have a file, basically it's a small text file which has been created and modified on one Linux system and  copied on to my machine. I would like to know how can I retrive the time stamps of the file for the events that happened in the former OS. is it possible to trace the old time stamps on my machine or should I have access to the first machine, in both cases which tools can I use. I tried 'stat', 'ls' which doesn't provide much details.
Logged
“Knowing is not enough; we must apply. Willing is not enough: we must do.”
- Bruce Lee
chrisj
Hero Member
*****
Offline Offline

Posts: 1163


View Profile WWW
« Reply #1 on: February 03, 2013, 11:47:29 AM »
don't know if it'll do what you want, but look in to -ctime, -atime, and -mtime.  if you didn't use an archive option to preserve the meta data, when you copied it over, the data may not be there on the new machine.
Logged
OSWP, Sec+
adamj
Newbie
*
Offline Offline

Posts: 17



View Profile
« Reply #2 on: February 05, 2013, 09:35:37 PM »
normal ls -l will give mtime, but you can get atime with ls -lu and ctime with ls -lc
It may also depend on what filesystem is in use, not just how the file was copied.
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #3 on: February 05, 2013, 09:51:35 PM »
Unless you specifically used a copy utility that preserved the MAC times of the file, you can't trust the file was copied with metadata preserved.  You are also not sure if it is the same file unless you have cryptographic hashes of both, the source and the destination, to support this. 

Your best bet is to analyze the original file, or rather a forensically sound copy, of it. (You don't to work with the original evidence as a rule of thumb.)  As others have already stated, there are a ton of utilities that will give you the metadata of the file.  You may also want to look at autopsy and sluethkit (http://www.sleuthkit.org/autopsy/). 
Logged
~~~~~~~~~~~~~~
Ketchup
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.084 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.