META data thoughts
The Data Hero
What are you thoughts on these dates: [IMG]http://i469.photobucket.com/
albums/rr52/Cooopers/Ev22.jpg[/IMG]
Created: Yesterday 16 Dec 2009
Modified: Monday 26 Oct 2009
Accessed: Today 17 Dec 2009
This file is on a shared network so I believe the following has taken
place.
I believe the file was in fact created on the original PC on Monday 26
Oct
It was then first accessed on a different PC within the network on 16
Dec
The file was then again looked at on the 17 Dec and the screen shot
was also taken on this day.
Can accessing data on a shared network corrupt the META data? Would I
see something different if I were to look at this META data from
another PC on the network.
Basically the person I'm helping corrupted the META data by looking at
every file we are intersted in.
Thanks!
The Data Hero
http://i469.photobucket.com/albums/rr52/Cooopers/Ev22.jpg
Chuck Snipes
Charles Snipes
CTO, CDS Ventures, LLC
http://www.allceus.com
http://www.datatriangle.com
Bachelor of Science, Regent's College
Certified Computer Examiner
Certified Data Recovery Professional
--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
The Data Hero
reply. I got some info today that shed a massive amount of light on
this one.
The manager of this employee requested that the administrators grant
access to his H drive so we could review the meta data that MS
provides about a file. Turns out that the administrator cut and paste
all the docs into a new location and supplied a link to the manager to
look at. As soon as they did this they corrupted the meta data and
that's what was driving me crazy. I was starting to think that viewing
files on a shared environment could cause corrupt meta data, turns out
it was corrupt but not why I though it was.
problem solved, thanks again my friend :)
On Jan 25, 6:16 am, Chuck Snipes <ch...@datatriangle.com> wrote:
> I don't think I would use the word "corrupted." The metadata you are
> referring to are the modified-accessed-created (MAC) times maintained by the
> file system driver. At least that is what they appear to be... unless you
> are truly referring to metadata *within* a file such as Microsoft Word
> documents (author, editing time, company etc).
>
> If you were relying on the files to be untouched to determine which files
> are to be "backed up" or for "forensics review" then they may be corrupted
> from your point of view. The pattern you are seeing is normal for date and
> time stamps, however.
>
> When you create a file on one volume/ device/ partition, then move it to
> another; you get a created time AFTER a modified time. It shows the file
> was most probably created on another volume/ device/ partition, then moved
> to the volume you are seeing it on. I say "probably" because time stamps
> can be altered by software.
>
> The access time after the created tells you that an individual or possibly a
> process accessed the file after it was created. For instance, some
> anti-virus programs change the access time as the scan files on the
> computer.
>
> If I am missing your point in some manner about you saying it is corrupted
> on the network, I apologize.
>
> Charles Snipes
> CTO, CDS Ventures, LLChttp://www.allceus.comhttp://www.datatriangle.com
> > datarecoverycertif...@googlegroups.com<datarecoverycertification%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/datarecoverycertification?hl=en.- Hide quoted text -
>
> - Show quoted text -