Files dates are not identified

EmmanuelC · January 10, 2020, 2:10am

Autopsy is a fabulous tool. Really. Thanks !

I’ve noticed the following for a long time in my computer (not only with 4.13.0) :
Autopsy doesn’t mention any dates/times for the files (dates are: 0000-00-00 00:00:00), except the files incorporated in zip-archives. As a result, the timeline add-in is not relevant.
But, if I build a zip-archive with all the files, Autopsy is able to mention the “modified time” (i.e. 2018-01-31 14:42:30 CET) of the files (only the modified time).
(unfortunately the zip files inside the big zip-archives are not automatically investigated by Autopsy ; and it’s not possible to analyze the various dates of the files)

I run Autopsy for Windows (Win10Pro), with a French-language environment (Windows date format: JJ-MM-AAAA). I tried to format the Windows date to AAAA-MM-JJ: it is without any effect.

Any thoughts ?

apriestman · January 10, 2020, 2:13am

Are you using Logical File data sources? I think the assumption is that logical files would have been copied onto the analyst’s system and so the timestamps would be irrelevant.

EmmanuelC · January 10, 2020, 6:49am

Hi Ann,
Yes I use Logical File data sources. I can’t work directly on seized disks. Do you suggest that the assumption would be different if I mount the copy of the disk as a VM ?

apriestman · January 10, 2020, 2:11pm

I think that could work? If you can go through the Local Disk data source processor instead of Logical Files the timestamps should be present.

http://sleuthkit.org/autopsy/docs/user-docs/4.14.0/ds_page.html#ds_local

EmmanuelC · January 10, 2020, 9:07pm

I Will try asap the local disk option. Slower but easier than a VM container.

EmmanuelC · January 11, 2020, 7:54am

I’ve tried the local disk way. It’s ok: he job is done (the “modified time” is a fair timestamp), so your assumption was correct. But the ingest phasis was so… so… slow.
I try now to mount a VHD on my SSD.
Question: is there way to choose the timestamp used in the TimeLine? (created time, modified time, access time…) I didn’t find information after reading http://sleuthkit.org/autopsy/docs/user-docs/4.14.0//timeline_page.html

EmmanuelC · January 11, 2020, 8:16am

So I mounted the files in a VHDX and run Autopsy (with admin rights) against this “local disk”. Fast, similar to the “Logical files” way! And the timeline is populated, now, nice!

(is there a way to open the zip files at the Ingest phasis? It’s done with logical files, not with local drive).

apriestman · January 14, 2020, 4:24pm

About zip files, it looks like we may have a bug. I’m seeing errors when I try to run the embedded file extractor on a local disk. We’ll look into it.

Topic		Replies	Views
Add Date Stamp Support for Local Files/Archives Autopsy Feature Requests	2	774	August 1, 2023
Web history timestamps consistent appear with incorrect timestamps Autopsy Help	8	894	May 19, 2021
Autopsy file creation date confusion Autopsy Help	2	1371	January 25, 2021
Autopsy timestamp reliability? Autopsy Help	3	848	August 7, 2020
Possible inconsistency in metadata date/time. Autopsy Help	4	572	July 21, 2022

Files dates are not identified

Related Topics