This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file is deleted. I also bemoaned the fact that there are many forensic investigators that still believe that MAC times are updated at the time of deletion. Today I’m on a quest to change their minds.
SANS has published this poster for several years and it is maintained by some of the smartest people I know. In addition to that I’ve also done my own testing and seen things from my own investigations. I have never seen a MAC time updated for the deletion of a file on a Windows computer. Never. Not in over 10 years of working in this field, not in the around 500 investigations I’ve conducted.
Let’s talk about what I mean by deleted. What does it mean?
Let’s take a look at an example. I have a file as follows:
If I put this file in the recycle bin at 11/5/2014 the record updates to something like this:
Note that the modified time changes because of the file-name change, not necessarily because it was placed in the recycle bin. When the recycle bin is emptied, none of the dates and times in the $MFT are updated.
What about if I use CCleaner to erase the file?
Once again, the modified time is updated because of the file rename only. Yes, the deletion time will likely follow very quickly, but the removal of the file does not trigger an update to that field, only the renaming of the file.
And when the file is deleted by bypassing the recycle bin (shift-delete)?
Nothing. Nothing is changed at all.
Let’s look at another scenario. You receive a computer on 08/18/2017 for analysis. When you review the contents of the computer you note that a deleted file has the following properties:
You may be tempted to say, “The file looks like it was deleted at 08/17/2017 at 19:01:33.” But you’d be incorrect. What we have here is a window in which the file was deleted. We know that the file was deleted sometime between 08/17/2017 at 19:01:33 and the time that the computer arrived on your desk. This may be a window of only a few hours, as in this example, but it could be a windows of days, weeks, or even months. In instances such as these it would be well worth your time carving out $USNJRNL records using something like TriForce from GC Partners in order to determine the file deletion times.
Definitive blanket statements are not often made in this field. As such, when these statements are made, they are not made lightly. Yes there will be instances where metadata may change immediately before the deletion took place, especially when using third-party tools, but the MAC times are not updated on file deletion, period.