Timestamp and other metadata reliability

In forensics, turns out it is important to know timestamps reliably. In olden filesystems, like NTFS and FAT, you either have a timestamp (if the record is intact) or you don't (if the record is overwritten). Now, CoW filesystems like ReFS and BTRFS, produce a whole lot of different versions of metadata records - do you want a generation 3 timestamp or generation 8 timestamp? Considering that metadata generation numbers (as used for timestamps) do not necessarily match file pointer generation data, there seems to be no way to get forensically reliable timestamps on modern filesystems. This is probably something worth looking into.

Comments

Popular posts from this blog

Folder tree structure vs. file data

@DEVOPS_BORAT

QNAP revisited