zero'ed MAC times and dates

Any Autopsy specific discussions, events, module releases, that don't fall into the other categories.

Moderator: carrier

zero'ed MAC times and dates

Postby redalert6 » Mon Apr 11, 2016 6:01 pm

i have a directory listing of what appear to be deleted files, however the MAC times are all 000-00-0000. Clearly these files have been deleted but why would autopsy list zeros for the MAC times?
redalert6
 
Posts: 1
Joined: Mon Apr 11, 2016 5:56 pm

Re: zero'ed MAC times and dates

Postby giuseppe » Sun Jul 31, 2016 12:49 pm

Hi there.
I was looking for an answer about the same issue redalert6 posted. I think it's not correct that the files with zero'ed MAC times are of course deleted files. I say this because I have different files, with zero'ed MAC times, which are still in the original directory. i used autopsy 4. Look at this photo with directory listing of deleted files. Click the image to view all field.
Image
I have highlighted 4 files:
1) This file is still in the folder, so it's not deleted and has zero'ed MAC times
2) This file is really deleted and the MAC times are not zero'ed
3) This is the same file as 2) but the name file finishes with ":Zone.Identifiers" (sorry but I cutted the image, for best fit screen)
4) This file is really deleted but has zero'ed MAC times as 1) (which is not deleted)
The questions are:
a) What does it mean when MAC times are zero'ed?
b) When MAC times aren't zero'ed, what of the time columns (modified, change, access, created) do we have to refer to? Which one is the time of deletion?
c) What does it mean file name which finishes with ":Zone.Identifiers"?

Thank you in advance
giuseppe
 
Posts: 2
Joined: Sun Jul 31, 2016 10:04 am


Return to Autopsy General

Who is online

Users browsing this forum: No registered users and 1 guest

cron