Reading about some sophisticated dating fraud in the Carolingian era (St. Martin), and then later thinking about Hillary, it occurred to me:
First, how hard is it to alter, after-the-fact, the file-creation or -modifications data?
And if you go about erasing files, reformatting the disk and adding zero’s and ones by whatever crypto standard… Can the OS[+app, if necessary] or disk itself in some root history [?just invented that] cover up its tracks of the very fact that it was covering its tracks when any of these actions took place?
It seems to me like trying to swallow your own tail.
For information just on your own computer it is easy. You can set your system clock to any time and date you like. Once you begin communicating with other computers you can’t control what timestamps they’ll stick in information. Sufficient erasure will remove all traces of any timestamps on your disk, but you have to know what you’re doing to remove all references to a specific file or recorded event. If you’re really worried about you nuke the disk from orbit. Many computers establish online connections when they boot up and then you can’t hide the fact that you did something on the computer at a particular time. But you can’t prove exactly who did it. For instance, complete strangers are constantly logging on to my computer with my credentials and accessing porn.
Trivially. The way you do this such that it’s near untraceable is you remove the hard disk being tampered with, and use a separate computer running Linux. There are special tools that can tamper with file system data, including file creation and access data information. The best tools are generally on Linux for a variety of reasons, and you would probably have source access and be able to edit them if you needed more features.
Like anything, you might make a mistake, but if you did it right, there would be no traces of your tampering.
With the caveat of “if you do it right”. Realistically, you’re going to make mistakes, and then it’s a question of the number of mistakes you make, versus the skill of the investigator at uncovering them.
For something basic like a timestamp (created/written/read) on a file it’s quite trivial. I do it all the time so that files get sorted by date in certain directories which makes it easier for other things to happen. Under MS-Windows, I use a small program to make this easier.
From there it gets harder and harder. Some systems do logging of changes. You have to fix those, plus the log’s date itself, etc.
One example that’s easy to mess up are email headers. They are a treasure trove of timestamps. Based on when it was sent, what it was forwarded thru, to when it was delivered. They can be quite lengthy and convoluted. If you want to change that right, it requires a very precise analysis and care. Of course, one of the servers along the way might have its clock screwed up (off, wrong time zone, etc.) and you need to deal with that.
ftg has it. A modern OS has a staggering number of places where times are recorded, and a forensic analysis of these would show up inconsistencies all over the place, even with the most careful modification. One of the harder places to fix is in journalling file systems, which most modern files systems are in some for or another. Whilst a file itself may have a time stamp or two (creation, access, modification for a start) these are more for the use of the user - and they are separate to the internal operation. Change one, and you end up with a change command in a journal. You can typically force truncation of the journal, but this itself starts to leave traces. Worse, forensic examination of the disk would probably throw up old disk blocks with traces of the journal and operations.
As to covering up the operation of a disk erase, again, very very hard. This was a plot element in Stephenson’s Cryptonomicon. Where one of the protagonists needed to wipe a disk is a defensible manner. Short answer, no. You won’t be able to do it. If you want that level of security you would start with an encrypted file system.
Flash based file systems are a different animal to spinning rust, and the manner in which file erasure is done needs to be different. Flash retires blocks of memory that have been used many times, and these can still be visible to forensic examination. There is no way of getting to them from the OS - you need to get past the flash controller to see the actual flash memory. You can’t control (or even know) when a block is retired, so being able to properly erase data is much harder.
To get to a believable file system state where file meta-data has been altered you would need time. If the system operates and is used normally for a significant period of time after the alteration is done the traces of the alteration in the file system will tend to be lost.
None of this helps with the plethora of intermixed and tangled timestamps that exist at the user level that has been outlined by ftg.