Some files have incorrect MFT Entry Modified Time (Trivia?)
Sun, 2011/04/03 - 21:01 — kazamiyaRecently, I realized that some files don't have Entry Modified Time in EnCase when I was examining Windows 7 image.
In this example, highlighted jquery[1].js is located in "Temporary Internet Files" Folder. It's unusual and I looked over the corresponding MFT Entry(Record) in Hex view.
It's true that MFT Entry Modified timestamp in $SIA indicates improper value, "04 01 00 00 6D 00 00 00". The rest of timestamps including $FNA are valid. In this example, these are "38 79 7E BF 0E E7 CB 01" or "0A 78 1D C0 0E E7 CB 01", indicate "2011/03/20 23:54:43" or "2011/03/20 23:54:44" respectively.
For confirmation, I run fte for jquery[1].js.
In the result, fte reports ctime is 1601/01/01 22:00:15(LOCAL). I think Date/Time conversion work properly, but this is unmeaning information as actual Date/Time.
As far as I examine, this behavior occurs the following conditions.
- Windows Vista/2008/7 both x86 and x84 (Not XP/2003)
- Files under "%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files" folder
It seems invalid 8 byte data is unpredictable. Many of data are "04 01 00 00 ?? 00 00 00", "??" indicates incremental counter. But some data doesn't match this rule, so sometimes fte reports implausible Date/Time like "6498/11/08 08:44:45...". Complicating matters, some files in TIF folder have valid Entry Modified Time.
After all I couldn't identify cause, for now I think we should treat Entry Modified Time the same as other timestamps because they are usually have the same value including $FNA's timestamp.
