I need help on a computer question that has arisen at work. The issue is when some particular files were written and/or altered. The files were on a floppy disk and the writing was done on a word processing program on the hard drive. The computer is a standard, albeit not state of the art, Windows-Pentium system.
I don’t know much about computers but I know that files are marked with the last date and time they were saved. I also know that there are history files on the hard drive that record some of the details of what’s been accessed on the computer. A little research has shown me that by resetting the computer’s date and time, you can fool the “save” program and put any date and time as the “saved” time. If I need to prove when a file was actually accessed and/or saved is it possible for me to do so?
Probably not, unless there was some sort of logging program running on the computer. You don’t mention what operating system you’re running, which could matter, but most OSs depend solely on the computer clock for the time to set the ‘date modified’.
Just out of curiosity, what situation led up to you needing to know when a file was saved to a disk?
There are also numerous file utilties that can re-set the time/date stamp to any desired parameter without fooling with the system clock.
IIRC there are some deep level system logs built into MS Office that forensic PC investigators can use but I don’t know if these would exist in your particular scenario or be of any use to you. Most WP systems (Word and WordPerfect at least) also have (hidden) timed, incremental file backups (on the hard drive) of the file being worked on in case the system locks or power is lost, but these are usually dynamically destroyed or overwritten once the file is saved and the PC is shut down and re-started. In some cases these are saved to a specific directory so you might be able to recover them using a binary editor if no activity has occured since the file write in question, but if the system date was changed (and not just the file date) these will have the incorrect or manipulated time/date stamp as well…
If the person was careful or savvy enough to reset the time date stamp on the floppy there is really not much you can do unless you want to try and see if Norton’s “Undelete” can find an erased file on the floppy with a different date. Interestingly the older WIN/DOS versions of Nortons will have more specific tools to do this than the newer versions.
If the PC was on a network when the file as created there will be system logs of when the unit was logged on and accessed by a specific user and if these do not match up with the file date they may have some 'splaining to do. Your system admin could probably find this log for you.