Home  |  Site Map  |  Contact Us  |  Log In
Please contact us for your electronic discovery, computer forensics or cybersecurity needs at (866) DIG-DOCS or info@digitalmountain.com

Articles

Expand your knowledge of electronic discovery, computer forensics and cybersecurity to make the most optimal decisions for your organization

An Attorney's Brief Guide to Dating (Computer File Dating That Is) by Troy Larson

What could be more trustworthy than the date of a file? From the early days of DOS to the graphical file management programs of the present, computers have displayed file dates with apparent certainty down to the minute. Surely, attorneys can rely on computer dates, can't they?

The unpleasant truth is that computer date stamps can be unreliable. The problem begins with computer clocks, whose accuracy depends on both a battery life and on its accurate setting in the first place. For example, computer dates can be easily altered by someone with access to the computer. Computer systems typically maintain more than one kind of date stamp, and different computer systems utilize different methods for updating date stamps. Attorneys would be well advised to understand the ways of computer file dating.

The main operating systems in use today, and their respective file systems, record three basic types of date stamps with respect to file related activity. These are the last modified (or written) date, last accessed date and file creation date (also referred to as MAC or Modified Accessed Created dates for the first initial of each kind of date stamp). For the most part, the specific activities that trigger, or update, a particular type of date stamp are intuitively easy to grasp. The devil is in the details, however. Different types of file activities set or update the different date stamps (which is why there is nothing necessarily wrong with a file whose last modified date is older than its creation date as discussed in more detail below).

A file's last modified date refers to the date and time that a file is last written to. Typically, a file is modified or written to when a user opens and then saves a file, regardless of whether any data is changed or added to the file. A very common exception to this general rule occurs in software development, where the modification dates of all the files related to a project might be set to the same date and time. This is done to make it easier to track the build or version of a set of files. With respect to files created by a computer user, however, the last modified date will generally indicate the last date and time that a file was saved.

The last access date stamp refers to just about any activity that a user or even the computer system itself might do to a file. Anything that might update a file's last modified or creation dates, for instance, will generally also update the last access date. In addition, the last access date will change when a file is printed, moved, copied or merely viewed (that is, opened but not saved). Antivirus, backup and other system maintenance applications will typically update file last access dates when they run. Since so many activities can update last access dates, last access date stamps can be very useful in determining the recent history of a computer system.

Creation dates do not necessarily reflect when a file was actually created. Rather, creation date stamps indicate when a file came to exist on a particular storage medium, such as a hard drive. Creation dates can thus indicate when a user or computer process created a file. However, they can also reflect the date and time that a file was copied onto a particular storage medium. Because of the later characteristic of creation dates, it is not uncommon for files that have been copied or moved to have modification dates older than their creation dates?that is, to have last modified dates that appear to predate the existence of the file. Where a file has been copied or moved (or downloaded), its ?creation date? actually indicates the later act of copying rather than the date the file originally came into existence.

Computers do not directly record metadata for a file when deleted. Consequently, it is generally not possible to state when, exactly, a file was deleted. The last access date, which is generally the most recent date record for a file, can show that a file existed on a certain date, but nothing after that date. The Windows Recycle Bin can allow some determination of when files where deleted, but only if the files are deleted to the Recycle Bin. As a result, attorneys should be skeptical of statements regarding the date of file deletions.

Another factor an attorney should take into account is that some applications store additional date and time information inside their data files. Microsoft Word and Excel are cases in point. Sometimes these date stamps can differ from similar dates stored by the file system. Application stored dates can also reflect additional information, such as when a file may have been printed. It is important to note that the dates applications may store in their data files will generally only reflect the information that existed at the last time the file was saved or written to. The application-specific dates may not show date information pertaining to moving, copying or viewing a file.

Not all systems handle date information the same. For example, Windows NT and its successors record a date and a time for each date stamp. Windows 95, 98 and Me, record all the MAC dates, but only creation and last modification times. The file date stamps of Windows NT and its successors will in part reflect the date of the computer used to view the file date stamps; that is, file date stamps are time zone sensitive. This means that files created on the West Coast will show different times and dates when reviewed on the East coast. Thus, attorneys should always note the time zone from which files originate. Files transferred on CD will typically have creation dates reflecting the date and time that the files were written to the CD.

There are steps that attorneys can take to address the questionable reliability of file date stamps. In addition to noting the originating time zone, attorneys should also take note of the date and time of the system clocks of the computers from which the files originated. Though there is no certainty that a system clock has been accurate over time, the time difference that exists when the files are taken from the computer or examined can help to explain any date or time disparities involving the file date stamps.

Attorneys should also always be attentive to identifying corroborating date and time evidence existing either between the files or between the files and other facts in the case. For example, if there are several files with dates within a close proximity to one another, a strong argument can be made the files were at least last modified, created or accessed at about the same time regardless of time zones or the inaccuracies of the system clock. Likewise, demonstrating a correlation between date or time intervals, as shown by file date stamps, and events external to the computer, such as vacations or weekends, can help to support or refute file date stamps.

Computer file date stamps can prove critical in legal proceedings, but attorneys should not always take them at face value. Computer date stamps do not speak for themselves. With proper planning and research, however, date stamps can be corroborated or challenged in almost any dispute. Attorneys should therefore always be prepared to support or offer proof regarding the file date stamps they rely upon.

An Attorney's Brief Guide to Dating (Computer File Dating That Is) by Troy Larson
Copyright © 2003-2017 Digital Mountain, Inc. All rights reserved. Privacy Policy.