Dear all,
I am very new to Sleuth Kit and IT forensics in general, so I hope my question is not too “low level” for this forum.
I have two files that are several years old (or at least seem to be). They were not created on my system and in fact I do not know exactly on whose system they were created. I most likely copied them from a USB stick a while back.
What I want to do now, is check whether the time signatures of the files have been manipulated. I learned that beyond the $STANDARD_INFORMATION time signature (which Windows shows me) there is a second information called $FILE_NAME. I hoped I could retrieve this information using The Sleuth Kit’s istat. But it seems to me that this tool can only analyse whole images.
Can anybody help me? Or is my goal futile to begin with (since I have only the files and not their “original” drive / system)?
Thanks in advance!
Theresa