Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Time stamps on created documents
New Posts  All Forums:Forum Nav:

Time stamps on created documents

post #1 of 9
Thread Starter 
Looking for some advice. My wife is involved in a lawsuit with a company that defrauded her. They claim they created and delivered a document to her.

They have no proof of delivery and cannot verify whom they gave the document to. They are asserting that it was created on a specific computer but refuse to have our lawyer allow us to view it due to the other confidential information on the computer.

These guys are straight up crooks and I am assuming that they don't want us to access the PC as there is either no document from the date they state it was created, or there is other incriminating evidence on it.

So here are my questions:

My assumption is that the PC's they are using are running either XP or Windows 7. If we do get a subpeona to have a neutral third party examine the computer and we find the document. Is there any way they could have backdated the creation date of the document?

Is there a way to confirm the original creation date? If they rolled back the time and date on the computer to create the document would this matter?

What type of expert should I look for that could verify this kind of info?

More importantly, before we go to the trouble and expense of hiring someone (as I am fairly certain we can have the judge force them to allow access to a neutral third party) is there definitely a way that we can confirm the date?


All advice is appreciated but please, this is a serious matter so I would appreciate not having speculations or assumptions provided.


Thank you
Murder Box II
(18 items)
 
Home PC
(15 items)
 
 
CPUMotherboardGraphicsRAM
Intel 6800K Asus X99-A II Zotac 1080Ti AMP Extreme Edition G. Skill Trident Z - 32GB/ 3200Hz/CL14/Quad  
Hard DriveCoolingOSMonitor
Sandisk Extreme Pro 480GB Corsair H100i V2 - w/ML120 Pro Fans Windows 10 Home 64 Bit Acer Z35P 1440P G-Sync 
KeyboardPowerCaseMouse
Steelseries Merc  EVGA Supernova G2 1000W Corsair 450D Mionix Naos 8200 
Mouse PadAudioAudioOther
Inwin Batmat Aluminum Sound Blaster Z Logitech Z906 - 5.1 Maxnomic Commander S-III Gaming Chair 
CPUMotherboardGraphicsRAM
Intel G3440 Asus B85M-E/CSM EVGA GTX 950 Patriot Viper 3 - 2x8GB 1600hz 
Hard DriveOptical DriveCoolingOS
Samsung EVO 850 - 500GB + 4TB/3TB x 2/2TB WD Green LG CH12LS28 Bluray Scythe Big Shuriken 2 w/Corsair SP120 Fan Windows 10 64 Bit 
MonitorKeyboardPowerCase
Samsung 75" TV.... GooBang Doo MX3 Corsair CX430 V2 NMEDIAPC HTPC 6000B w/ Pro LCD Module 
Mouse
GooBang Doo MX3 
  hide details  
Reply
Murder Box II
(18 items)
 
Home PC
(15 items)
 
 
CPUMotherboardGraphicsRAM
Intel 6800K Asus X99-A II Zotac 1080Ti AMP Extreme Edition G. Skill Trident Z - 32GB/ 3200Hz/CL14/Quad  
Hard DriveCoolingOSMonitor
Sandisk Extreme Pro 480GB Corsair H100i V2 - w/ML120 Pro Fans Windows 10 Home 64 Bit Acer Z35P 1440P G-Sync 
KeyboardPowerCaseMouse
Steelseries Merc  EVGA Supernova G2 1000W Corsair 450D Mionix Naos 8200 
Mouse PadAudioAudioOther
Inwin Batmat Aluminum Sound Blaster Z Logitech Z906 - 5.1 Maxnomic Commander S-III Gaming Chair 
CPUMotherboardGraphicsRAM
Intel G3440 Asus B85M-E/CSM EVGA GTX 950 Patriot Viper 3 - 2x8GB 1600hz 
Hard DriveOptical DriveCoolingOS
Samsung EVO 850 - 500GB + 4TB/3TB x 2/2TB WD Green LG CH12LS28 Bluray Scythe Big Shuriken 2 w/Corsair SP120 Fan Windows 10 64 Bit 
MonitorKeyboardPowerCase
Samsung 75" TV.... GooBang Doo MX3 Corsair CX430 V2 NMEDIAPC HTPC 6000B w/ Pro LCD Module 
Mouse
GooBang Doo MX3 
  hide details  
Reply
post #2 of 9
I'm not so sure about this but if they went "back in time" by simply changing the date and time, it would allow them to falsify the date. However, Windows usually knows when you manually change the time (ie: Warning you that the current time is not synchronized with an internet clock, etc.). I have no idea how but it might be possible to verify if the regular timestamp is the true one or a fake one IF Windows registers wether the time was synchronized with an internet clock or not during the creation of the timestamp.
My Gaming Rig
(16 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 2500K @ 4,5GHz - 1.296 volts MSI P67A-GD55 Asus Strix Geforce GTX 970 4GB Mushkin Enhanced Silverline Stiletto 2x4GB 1333... 
Hard DriveHard DriveHard DriveHard Drive
Seagate Barracuda 7200.12 1TB Seagate Barracuda 7200.12 500GB Toshiba HDKPC08 3TB Samsung 840 Evo 120GB 
CoolingOSMonitorKeyboard
Corsair Hydro Series H60 Windows 8.1 Professional x64 BenQ G2420HD 24" 1920x1080 IBM Model M2 French Canadian Layout '93 
PowerCaseMouseMouse Pad
Mushkin Enhanced Joule 1000W Modular Antec DF-35 (Modded) Razer Deathadder 3500 DPI Mionix Sargas 900 
  hide details  
Reply
My Gaming Rig
(16 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 2500K @ 4,5GHz - 1.296 volts MSI P67A-GD55 Asus Strix Geforce GTX 970 4GB Mushkin Enhanced Silverline Stiletto 2x4GB 1333... 
Hard DriveHard DriveHard DriveHard Drive
Seagate Barracuda 7200.12 1TB Seagate Barracuda 7200.12 500GB Toshiba HDKPC08 3TB Samsung 840 Evo 120GB 
CoolingOSMonitorKeyboard
Corsair Hydro Series H60 Windows 8.1 Professional x64 BenQ G2420HD 24" 1920x1080 IBM Model M2 French Canadian Layout '93 
PowerCaseMouseMouse Pad
Mushkin Enhanced Joule 1000W Modular Antec DF-35 (Modded) Razer Deathadder 3500 DPI Mionix Sargas 900 
  hide details  
Reply
post #3 of 9
Do we know what program was used to create the document? For now I'll just assume Microsoft Word.

You can see when the document was created by simply right clicking on it and selecting the properties. This will tell you the creation date, last access time and last time modified. This method will apply to all documents.

If it was created using Word you can also look at the metadata. This will allow you to see the same as above, but also when it was last printed, the last person to edit it and the original creator.

The problem with all of these is that they are very easy to falsify. Even if you don't know what you are doing you can Google it, it doesn't take an ounce of technical expertise to do.
Define
(20 items)
 
   
CPUMotherboardGraphicsRAM
Intel Core i7-3770K @ 4.3GHz Gigabyte GA-Z77X-UD5H ASUS GeForce GTX 980 Ti STRIX 6GB @ 1500MHz 2x8GB Kingston HyperX Fury DDR3 @ 2400MHz 
Hard DriveHard DriveCoolingCooling
Samsung 840 Pro 256GB Crucial MX100 512GB Noctua NH-U14S 3x Noctua NF-A14 FLX 
OSMonitorMonitorKeyboard
Windows 10 Pro 64-bit Dell U2713HM Dell U2312HM Ducky Shine 3 Year of the Snake (MX Brown) 
PowerCaseMouseMouse Pad
EVGA SuperNOVA P2 650W Fractal Design Define R5 Black Mionix Naos 7000 SteelSeries QcK 
AudioAudioAudioOther
Sennheiser HD 650 Fostex TH-X00 Ebony Parasound Zdac TP-LINK Archer T9E  
CPUGraphicsRAMHard Drive
Intel Xeon E5-2620 v4 @ 3GHz Matrox G200eH2 4x8GB Kingston Dual Rank ECC DDR4 @ 2133MHz 2x Samsung PM863 120GB in RAID1 
Hard DriveOS
4x WD Red 3TB in RAID5 ESXi 6.5 
  hide details  
Reply
Define
(20 items)
 
   
CPUMotherboardGraphicsRAM
Intel Core i7-3770K @ 4.3GHz Gigabyte GA-Z77X-UD5H ASUS GeForce GTX 980 Ti STRIX 6GB @ 1500MHz 2x8GB Kingston HyperX Fury DDR3 @ 2400MHz 
Hard DriveHard DriveCoolingCooling
Samsung 840 Pro 256GB Crucial MX100 512GB Noctua NH-U14S 3x Noctua NF-A14 FLX 
OSMonitorMonitorKeyboard
Windows 10 Pro 64-bit Dell U2713HM Dell U2312HM Ducky Shine 3 Year of the Snake (MX Brown) 
PowerCaseMouseMouse Pad
EVGA SuperNOVA P2 650W Fractal Design Define R5 Black Mionix Naos 7000 SteelSeries QcK 
AudioAudioAudioOther
Sennheiser HD 650 Fostex TH-X00 Ebony Parasound Zdac TP-LINK Archer T9E  
CPUGraphicsRAMHard Drive
Intel Xeon E5-2620 v4 @ 3GHz Matrox G200eH2 4x8GB Kingston Dual Rank ECC DDR4 @ 2133MHz 2x Samsung PM863 120GB in RAID1 
Hard DriveOS
4x WD Red 3TB in RAID5 ESXi 6.5 
  hide details  
Reply
post #4 of 9
Assuming the original documents are on their computer, and they were created using office or windows products, a simple right click followed by properties should reveal the creation date and last modification date of each file concerned.
X79-GCN
(22 items)
 
  
CPUMotherboardGraphicsRAM
Intel 3930K 4.5GHz HT GIGABYTE GA-X79-UP4 AMD R9-290X GEil Evo Potenza DDR3 2400MHz CL10 (4x4GB) 
Hard DriveCoolingCoolingCooling
Samsung 840 Pro 120GB EK Supremacy (CPU) NF F12's P/P (360 Rad)  NF A14's (420 Rad)  
CoolingCoolingCoolingCooling
XSPC Chrome Compression Fittings EK RES X3 150 Primochill PremoFlex Advanced LRT Clear 1/2 ID EK-FC (R9 290X) 
CoolingCoolingCoolingOS
EK D5 Vario Top-X  Phobya G-Changer V2 360mm Phobya G-Changer V2 420mm Win 10 x64 Pro 
MonitorKeyboardPowerCase
BenQ XR3501 35" Curved Corsair Vengeance K90 Seasonic X-1250 Gold (v2) Corsair 900D 
MouseAudio
Logitech G400s Senn HD 598 
  hide details  
Reply
X79-GCN
(22 items)
 
  
CPUMotherboardGraphicsRAM
Intel 3930K 4.5GHz HT GIGABYTE GA-X79-UP4 AMD R9-290X GEil Evo Potenza DDR3 2400MHz CL10 (4x4GB) 
Hard DriveCoolingCoolingCooling
Samsung 840 Pro 120GB EK Supremacy (CPU) NF F12's P/P (360 Rad)  NF A14's (420 Rad)  
CoolingCoolingCoolingCooling
XSPC Chrome Compression Fittings EK RES X3 150 Primochill PremoFlex Advanced LRT Clear 1/2 ID EK-FC (R9 290X) 
CoolingCoolingCoolingOS
EK D5 Vario Top-X  Phobya G-Changer V2 360mm Phobya G-Changer V2 420mm Win 10 x64 Pro 
MonitorKeyboardPowerCase
BenQ XR3501 35" Curved Corsair Vengeance K90 Seasonic X-1250 Gold (v2) Corsair 900D 
MouseAudio
Logitech G400s Senn HD 598 
  hide details  
Reply
post #5 of 9
Quote:
Originally Posted by Robilar View Post

These guys are straight up crooks and I am assuming that they don't want us to access the PC as there is either no document from the date they state it was created, or there is other incriminating evidence on it.

Crooks? Probably right. There's no reason why you shouldn't allowed to view it yourself. If not you or your wife, then your lawyer (if you have one already) should be allowed to view the evidence. I wouldn't worry about it too much. Whatever so called incriminating evidence they have against your wife should be forthcoming during the discovery phase. That is when both parties open their hand and show each other what they have so that when (and if) this case does go to court, attorneys on both sides can be prepared to present their cases. I have other choice words other than "crook" but I digress.
Quote:
Originally Posted by Robilar View Post

So here are my questions:

My assumption is that the PC's they are using are running either XP or Windows 7. If we do get a subpeona to have a neutral third party examine the computer and we find the document. Is there any way they could have backdated the creation date of the document?

Yes, it is very easy to change the file attributes including the date created.
Quote:
Originally Posted by Robilar View Post

Is there a way to confirm the original creation date?

That is not so easy. If the management rank at this company are dishonest people, they could easily alter the creation date and pin the blame on your wife. How was this document delivered to your wife? Email? Postal mail? hand-delivered? If it was emailed to her, I would be more focused on the digital (email) trail. If the company has an exchange server, there should be a timestamp on when that email was sent - changing the timestamp of an email is possible especially if they have outright control of Exchange server but it is a much more involved process compared to a simple date creation change on a single document. And it most certainly require the cooperation of their internal or external IT staff to make this happen.

What kind of an IT staff do they have at this company? At most companies if they are big enough to run an Exchange server, they are usually of the variety where regular backups & maintenance happens on a regular basis. What I am driving at here is that there may be some IT involvement depending on the size of the company. Most management rank I've supported barely know how to turn on a computer and use Windows. They're not going to be smart enough to know how to change the file attribute without some outside help or the assistance of their IT guy. And if they have an IT guy in-house that's willing to be dishonest and comply with such a request, he's liable for tampering with the evidence and can face some serious legal consequences by doing so. I've worked with a lot of d*ckheads in IT during my career - but most of them would never stoop that low or put their career in jeopardy like that.
Edited by DaChosenOne - 3/12/14 at 5:23pm
post #6 of 9
Thread Starter 
Quote:
Originally Posted by DaChosenOne View Post

Crooks? Probably right. There's no reason why you shouldn't allowed to view it yourself. If not you or your wife, then your lawyer (if you have one already) should be allowed to view the evidence. I wouldn't worry about it too much. Whatever so called incriminating evidence they have against your wife should be forthcoming during the discovery phase. That is when both parties open their hand and show each other what they have so that when (and if) this case does go to court, attorneys on both sides can be prepared to present their cases. I have other choice words other than "crook" but I digress.
Yes, it is very easy to change the file attributes including the date created.
That is not so easy. If the management rank at this company are dishonest people, they could easily alter the creation date and pin the blame on your wife. How was this document delivered to your wife? Email? Postal mail? hand-delivered? If it was emailed to her, I would be more focused on the digital (email) trail. If the company has an exchange server, there should be a timestamp on when that email was sent - changing the timestamp of an email is possible especially if they have outright control of Exchange server but it is a much more involved process compared to a simple date creation change on a single document. And it most certainly require the cooperation of their internal or external IT staff to make this happen.

What kind of an IT staff do they have at this company? At most companies if they are big enough to run an Exchange server, they are usually of the variety where regular backups & maintenance happens on a regular basis. What I am driving at here is that there may be some IT involvement depending on the size of the company. Most management rank I've supported barely know how to turn on a computer and use Windows. They're not going to be smart enough to know how to change the file attribute without some outside help or the assistance of their IT guy. And if they have an IT guy in-house that's willing to be dishonest and comply with such a request, he's liable for tampering with the evidence and can face some serious legal consequences by doing so. I've worked with a lot of d*ckheads in IT during my career - but most of them would never stoop that low or put their career in jeopardy like that.

They state the document was hand delivered to someone at her business (they are the landlords). They cannot produce the person that supposedly delivered nor can they produce a signature on delivery.

They stated they created and delivered the document on a specific date. My wife never received it (nor did any of her employees). Our lawyer suggested that if they stipulate that the document was created and delivered then show us the document on the PC and the date is was created.

They simply indicated no as to our request to see the file. We have already passed the discovery. The next step will be responses to their refusals. They will likely cite confidentiality or security issues with us accessing it. We can counter that by using a neutral third party.

My concern is that if they falsified the document creation date (as so far they have lied about many things...) they may suddenly be willing to show it in an effort to provide credibility.

They are a fairly large company run by a family. They definitely have a dedicated IT guy (I met him once). I can almost guarantee he will lie for them if he thinks he can get away with it. They already fired two people that provided sworn statements that benefit us.

I don't want to go down this path if it will hurt us.
Murder Box II
(18 items)
 
Home PC
(15 items)
 
 
CPUMotherboardGraphicsRAM
Intel 6800K Asus X99-A II Zotac 1080Ti AMP Extreme Edition G. Skill Trident Z - 32GB/ 3200Hz/CL14/Quad  
Hard DriveCoolingOSMonitor
Sandisk Extreme Pro 480GB Corsair H100i V2 - w/ML120 Pro Fans Windows 10 Home 64 Bit Acer Z35P 1440P G-Sync 
KeyboardPowerCaseMouse
Steelseries Merc  EVGA Supernova G2 1000W Corsair 450D Mionix Naos 8200 
Mouse PadAudioAudioOther
Inwin Batmat Aluminum Sound Blaster Z Logitech Z906 - 5.1 Maxnomic Commander S-III Gaming Chair 
CPUMotherboardGraphicsRAM
Intel G3440 Asus B85M-E/CSM EVGA GTX 950 Patriot Viper 3 - 2x8GB 1600hz 
Hard DriveOptical DriveCoolingOS
Samsung EVO 850 - 500GB + 4TB/3TB x 2/2TB WD Green LG CH12LS28 Bluray Scythe Big Shuriken 2 w/Corsair SP120 Fan Windows 10 64 Bit 
MonitorKeyboardPowerCase
Samsung 75" TV.... GooBang Doo MX3 Corsair CX430 V2 NMEDIAPC HTPC 6000B w/ Pro LCD Module 
Mouse
GooBang Doo MX3 
  hide details  
Reply
Murder Box II
(18 items)
 
Home PC
(15 items)
 
 
CPUMotherboardGraphicsRAM
Intel 6800K Asus X99-A II Zotac 1080Ti AMP Extreme Edition G. Skill Trident Z - 32GB/ 3200Hz/CL14/Quad  
Hard DriveCoolingOSMonitor
Sandisk Extreme Pro 480GB Corsair H100i V2 - w/ML120 Pro Fans Windows 10 Home 64 Bit Acer Z35P 1440P G-Sync 
KeyboardPowerCaseMouse
Steelseries Merc  EVGA Supernova G2 1000W Corsair 450D Mionix Naos 8200 
Mouse PadAudioAudioOther
Inwin Batmat Aluminum Sound Blaster Z Logitech Z906 - 5.1 Maxnomic Commander S-III Gaming Chair 
CPUMotherboardGraphicsRAM
Intel G3440 Asus B85M-E/CSM EVGA GTX 950 Patriot Viper 3 - 2x8GB 1600hz 
Hard DriveOptical DriveCoolingOS
Samsung EVO 850 - 500GB + 4TB/3TB x 2/2TB WD Green LG CH12LS28 Bluray Scythe Big Shuriken 2 w/Corsair SP120 Fan Windows 10 64 Bit 
MonitorKeyboardPowerCase
Samsung 75" TV.... GooBang Doo MX3 Corsair CX430 V2 NMEDIAPC HTPC 6000B w/ Pro LCD Module 
Mouse
GooBang Doo MX3 
  hide details  
Reply
post #7 of 9
Quote:
Originally Posted by Robilar View Post

They state the document was hand delivered to someone at her business (they are the landlords). They cannot produce the person that supposedly delivered nor can they produce a signature on delivery.

They stated they created and delivered the document on a specific date. My wife never received it (nor did any of her employees). Our lawyer suggested that if they stipulate that the document was created and delivered then show us the document on the PC and the date is was created.

They simply indicated no as to our request to see the file. We have already passed the discovery. The next step will be responses to their refusals. They will likely cite confidentiality or security issues with us accessing it. We can counter that by using a neutral third party.

My concern is that if they falsified the document creation date (as so far they have lied about many things...) they may suddenly be willing to show it in an effort to provide credibility.

They are a fairly large company run by a family. They definitely have a dedicated IT guy (I met him once). I can almost guarantee he will lie for them if he thinks he can get away with it. They already fired two people that provided sworn statements that benefit us.

I don't want to go down this path if it will hurt us.

I shake my head in disbelief that we still have crap like this going on this country. Wow - these guys are true scumbags. Sorry but if they've already fired two employees just because they didn't tote the line and "just go along" with the story, then I have no other words for people like that.

If you're already past the discovery phase and they are still refusing to let you see the evidence, you & your attorney should hire a good IT forensics specialist that is experienced in handling cases like this where someone has intentionally altered files. Again I'm not an expert in this area, but I think it would be somewhat difficult to prove that the landlords have altered the date creation attribute. One idea that comes to me is viewing the tape backups of the servers. In my last 2 IT jobs, there was a guy that was in charge of making regular backups of the files stored on our server. So if your attorney is somehow able to compare the version of the file that's on the backup take versus the file that's been tampered with, that would be your greatest chance to prove that the document has been altered. Of course the challenge is A) if such a backup exists and B) how to get the opposing side to produce such evidence when they are stonewalling you about letting you see the original document.

As far as I see it, there are some holes in their case. First of all, if their claim about the document being hand delivered to one of the company employees is true, they should be able to produce the person's name, (atleast the person's first name) and the approximate date/time this hand-off occurred. They can't even come up with the person's signature to confirm that this hand-off ever occurred. Pathetic - I really hope you win. In fact, if you do win, i hope you countersue them for wasting your time & the courts time for bringing such a lame case to trial in the first place. I really do hope you have a sharp laywer on your side.
post #8 of 9
Quote:
Originally Posted by DaChosenOne View Post

Warning: Spoiler! (Click to show)
I shake my head in disbelief that we still have crap like this going on this country. Wow - these guys are true scumbags. Sorry but if they've already fired two employees just because they didn't tote the line and "just go along" with the story, then I have no other words for people like that.

If you're already past the discovery phase and they are still refusing to let you see the evidence, you & your attorney should hire a good IT forensics specialist that is experienced in handling cases like this where someone has intentionally altered files. Again I'm not an expert in this area, but I think it would be somewhat difficult to prove that the landlords have altered the date creation attribute. One idea that comes to me is viewing the tape backups of the servers. In my last 2 IT jobs, there was a guy that was in charge of making regular backups of the files stored on our server. So if your attorney is somehow able to compare the version of the file that's on the backup take versus the file that's been tampered with, that would be your greatest chance to prove that the document has been altered. Of course the challenge is A) if such a backup exists and B) how to get the opposing side to produce such evidence when they are stonewalling you about letting you see the original document.

Warning: Spoiler! (Click to show)
As far as I see it, there are some holes in their case. First of all, if their claim about the document being hand delivered to one of the company employees is true, they should be able to produce the person's name, (atleast the person's first name) and the approximate date/time this hand-off occurred. They can't even come up with the person's signature to confirm that this hand-off ever occurred. Pathetic - I really hope you win. In fact, if you do win, i hope you countersue them for wasting your time & the courts time for bringing such a lame case to trial in the first place. I really do hope you have a sharp laywer on your side.

Pretty much all that. If they deny access to the evidence (digital document) and cannot produce any other proof then that document reached your wife then the date is irrelevant for both you and them. Even if they printed it and can show evidence they did print it still should not matter if they cannot put it in your wife's hand.

I do want to point out that unless you are granted full access to the computers, backups, and etc.. that hiring an expert witness will likely not be beneficial. As many have pointed out it is easy to backdate a digital document, but I know in court just because it could be done that is not grounds to say they did. I am not familiar with Canadian law but I'd say the digital copy is hearsay and inadmissible anyways, because it is just as easy to prove that it was made and printed on a certain date as it is to disprove it. The paper copy however is not so without it I doubt they could use the date from it as any any sort of evidence, the content perhaps though. Your lawyer could even go the best evidence route given that a paper copy should exist and therefore the electronic version is hearsay because it is not the best evidence and not an acceptable duplicate.

Check out ediscoverylaw.com for some general information. I'm not a lawyer but I give a lot of expert witness testimony on some very different matters. I can only say what I usually see happen in those instances.
Red-Scout
(18 items)
 
Asus G53SX-TH71
(12 items)
 
Big Blue
(12 items)
 
CPUMotherboardGraphicsGraphics
AMD 8320 FX Asus Crosshair V Twin Frozr 6950 Twin Frozr 6950 
RAMHard DriveHard DriveHard Drive
Corsair Vengence Red Crucial M4 Western Digital Raptor 300gb Western Digital 1 TB Black 
Optical DriveCoolingOSMonitor
LG Blu-ray Corsair H80 Windows 7 Professional Asus VE248H x3 
KeyboardPowerCaseMouse
Logitech MX 5500 Revolution Black Thermaltake TR2 RX 750w CoolerMaster Storm Scout MX Revolution Cordless Laser Mouse 
AudioAudio
Logitech X-540 5.1 System Creative Sound Blaster X-Fi Titanium Fatal1ty 
CPUMotherboardGraphicsRAM
Intel Core i7 2670QM G53SX NVIDIA GeForce GTX 560M Samsung  
RAMRAMRAMHard Drive
Corsair  Samsung  Corsair  Corsair Force GT3 
Hard DriveOptical DriveOSMonitor
Hitachi Blu-Ray Drive Windows 7 Professional 15.4" 1080p 
CPUMotherboardGraphicsRAM
AMD FX 8120 Asus M5A99FX Pro R2.0 MSI Windforce 6850 Kingston Hyper-Blue 16Gb 
Hard DriveHard DriveHard DriveCooling
3x Seagate Barracuda 3Tb OCZ Agility 2 64Gb 3x OCZ Vertex 2 Plus 32 Gb Cooler Master Seidon 120mm 
OSOSPowerCase
Windows Server 2012 Standard VMs (Server 2012, Windows 7, Windows 8, Ubuntu,... PC Power and Cooling 500w Silencer NXZT Switch 810 
  hide details  
Reply
Red-Scout
(18 items)
 
Asus G53SX-TH71
(12 items)
 
Big Blue
(12 items)
 
CPUMotherboardGraphicsGraphics
AMD 8320 FX Asus Crosshair V Twin Frozr 6950 Twin Frozr 6950 
RAMHard DriveHard DriveHard Drive
Corsair Vengence Red Crucial M4 Western Digital Raptor 300gb Western Digital 1 TB Black 
Optical DriveCoolingOSMonitor
LG Blu-ray Corsair H80 Windows 7 Professional Asus VE248H x3 
KeyboardPowerCaseMouse
Logitech MX 5500 Revolution Black Thermaltake TR2 RX 750w CoolerMaster Storm Scout MX Revolution Cordless Laser Mouse 
AudioAudio
Logitech X-540 5.1 System Creative Sound Blaster X-Fi Titanium Fatal1ty 
CPUMotherboardGraphicsRAM
Intel Core i7 2670QM G53SX NVIDIA GeForce GTX 560M Samsung  
RAMRAMRAMHard Drive
Corsair  Samsung  Corsair  Corsair Force GT3 
Hard DriveOptical DriveOSMonitor
Hitachi Blu-Ray Drive Windows 7 Professional 15.4" 1080p 
CPUMotherboardGraphicsRAM
AMD FX 8120 Asus M5A99FX Pro R2.0 MSI Windforce 6850 Kingston Hyper-Blue 16Gb 
Hard DriveHard DriveHard DriveCooling
3x Seagate Barracuda 3Tb OCZ Agility 2 64Gb 3x OCZ Vertex 2 Plus 32 Gb Cooler Master Seidon 120mm 
OSOSPowerCase
Windows Server 2012 Standard VMs (Server 2012, Windows 7, Windows 8, Ubuntu,... PC Power and Cooling 500w Silencer NXZT Switch 810 
  hide details  
Reply
post #9 of 9
Quote:
Originally Posted by Robilar View Post

So here are my questions:
  1. My assumption is that the PC's they are using are running either XP or Windows 7. If we do get a subpeona to have a neutral third party examine the computer and we find the document. Is there any way they could have backdated the creation date of the document?
  2. Is there a way to confirm the original creation date? If they rolled back the time and date on the computer to create the document would this matter?
  3. What type of expert should I look for that could verify this kind of info?
  4. More importantly, before we go to the trouble and expense of hiring someone (as I am fairly certain we can have the judge force them to allow access to a neutral third party) is there definitely a way that we can confirm the date?

  1. Yes, it is easy to change all three file dates directly without needing to change the clock by using the SetFileTime API.
  2. Not if all the evidence has been tampered with.  If they rolled back the time, there would be a time change event showing the old time and the new time in the system event log; and yes, it would matter, since the phony time will be written to the file's Last Modified date if they save the document.  The Created date would remain unchanged, though.
  3. Forensic analyst.
  4. Not if all the evidence has been tampered with, although that would be quite hard to do.


    I have a list of places to look that I have PM'd you.
 
Edited by Techie007 - 3/13/14 at 7:38am
My desktop PC
(14 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-3770K Gigabyte P67A-D3-B3 NVIDIA GeForce 8400 GS  1x Corsair 8 GB 
Hard DriveHard DriveHard DriveOS
Kingston SV300S3 WesternDigital WD10EZEX Samsung HD154UI Windows 7 Ultimate SP1 x64 
MonitorMonitorKeyboardPower
Daewoo L947BK Gateway FPD1530 HTK-2001 Dynex DX-400WPS 
MouseAudio
Kensington K72400 Realtek ALC889 
  hide details  
Reply
My desktop PC
(14 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-3770K Gigabyte P67A-D3-B3 NVIDIA GeForce 8400 GS  1x Corsair 8 GB 
Hard DriveHard DriveHard DriveOS
Kingston SV300S3 WesternDigital WD10EZEX Samsung HD154UI Windows 7 Ultimate SP1 x64 
MonitorMonitorKeyboardPower
Daewoo L947BK Gateway FPD1530 HTK-2001 Dynex DX-400WPS 
MouseAudio
Kensington K72400 Realtek ALC889 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Windows
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Time stamps on created documents