.

How to find a file time stamps

<<

hurtl0cker

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 10:09 am

Location: WWW

Post Sun Feb 03, 2013 3:14 am

How to find a file time stamps

I have a file, basically it's a small text file which has been created and modified on one Linux system and  copied on to my machine. I would like to know how can I retrive the time stamps of the file for the events that happened in the former OS. is it possible to trace the old time stamps on my machine or should I have access to the first machine, in both cases which tools can I use. I tried 'stat', 'ls' which doesn't provide much details.
“Knowing is not enough; we must apply. Willing is not enough: we must do.”
- Bruce Lee
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Feb 03, 2013 12:47 pm

Re: How to find a file time stamps

don't know if it'll do what you want, but look in to -ctime, -atime, and -mtime.  if you didn't use an archive option to preserve the meta data, when you copied it over, the data may not be there on the new machine.
OSWP, Sec+
<<

adamj

User avatar

Newbie
Newbie

Posts: 17

Joined: Wed Jan 23, 2008 11:49 pm

Location: Maryland

Post Tue Feb 05, 2013 10:35 pm

Re: How to find a file time stamps

normal ls -l will give mtime, but you can get atime with ls -lu and ctime with ls -lc
It may also depend on what filesystem is in use, not just how the file was copied.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Feb 05, 2013 10:51 pm

Re: How to find a file time stamps

Unless you specifically used a copy utility that preserved the MAC times of the file, you can't trust the file was copied with metadata preserved.  You are also not sure if it is the same file unless you have cryptographic hashes of both, the source and the destination, to support this. 

Your best bet is to analyze the original file, or rather a forensically sound copy, of it. (You don't to work with the original evidence as a rule of thumb.)  As others have already stated, there are a ton of utilities that will give you the metadata of the file.  You may also want to look at autopsy and sluethkit (http://www.sleuthkit.org/autopsy/). 
~~~~~~~~~~~~~~
Ketchup

Return to Forensics

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software