.

Archiving files without changing the MAC timestamps

<<

punkrokk

Newbie
Newbie

Posts: 21

Joined: Thu Aug 07, 2008 8:35 pm

Location: Rochester, NY

Post Wed Feb 18, 2009 11:56 am

Archiving files without changing the MAC timestamps

Hi,

So when I was at shmoocon, I was talking with some people about my thesis: Role Based File Archiving. The main problem I ran into with my research was that I couldn't find a good way to -- when archiving files -- to provide integrity or non-repudiation to the MAC timestamps (Modified, last Accessed, Created).

The above being said, my programmatic work around was to read the time stamps before copy, but then rewrite them after copy. The problem is that I don't want to have to do this, and this opens up a potential "weak link" in an archiving system especially in court if I can prove you can change the MAC stamps when archiving.

My question is: Does anyone know of a programatic way to archive files and folders in NTFS and ext3/4 that will truly archive the file (provide transparent archiving, for legal purposes... or just to know that it hasn't/can't be modified without an audit trail) for non-repudiation purposed and/or integrity purposes?

Thanks!

-=punkrokk=-
-=punkrokk=-
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Feb 18, 2009 9:29 pm

Re: Archiving files without changing the MAC timestamps

I believe to provide non-repudiation with the timestamps you just have to prove that your software doesn't alter them and its output has to be reproducable. It might take a few court cases to prove it. Normal backups can be used and what you propose is essentially backup software.
twitter.com/timmedin | http://blog.securitywhole.com

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software