No announcement yet.

Attribute Modified Metadata Value

  • Filter
  • Time
  • Show
Clear All
new posts

  • Attribute Modified Metadata Value

    David et al,

    OSForensics has been critical in my analysis on a specific case - thank you very much!

    One quick question regarding the attached picture of evidence I am analyzing using OSForensics:

    The PDF file I am analyzing was first extracted from a RAR file using OSForensics to my forensic workstation.

    Then, I opened the extracted PDF file using OSForensics' File Viewer and see that the "Modified" value has a new appended date, "[Attributed Modified: Friday, February 1, 2019, 18:32:12.6021261]".


    What is the "Attribute Modified" value's meaning, at least according to OSForensics? The PDF file's Modified value is "June 3, 2013, 11:11:03.3518289", which matches the original evidence's Modified date.

    ** Is the "Attribute Modified" value OSForensics' method of showing that the original Modified value was "modified" to the 02/01/2019 value by virtue of extracting this file from OSForensics?

    Attached Files

  • #2
    The Attribute Modified date and time is the date that the file's attributes were modified (eg. MFT Modified Date).

    But yes, when extracting a file from a ZIP or RAR file to the local file system the file dates and time are updated to the current time. Maybe it makes more sense that we try and preserve whatever dates are available from the compressed archive? Some file formats (like tar.gz) don't store dates however. So maybe the dates from the container file could be used. But this might also be misleading.

    If you want to see the real dates, then they can be seen in OSF's internal file viewer (before extraction of the compressed files)

    While testing this we also noticed that OSF isn't supporting the newer RAR5 format. So we'll add this to the 'To Do' list for OSF V7.