Skip to content

πŸ“ Analyzing File Properties in Digital Forensics – Windows Example

🎯 Objective:

Understand how File Properties such as:

  • Creation Time

  • Modification Time

  • Access Time

affect digital forensic evidence analysis, especially in a Windows environment.

🧰 The Properties Tool in Windows

  • When you right-click on a file β†’ and select Properties:

You can view:

  • Created: When the file was originally created

  • Modified: When it was last edited

  • Accessed: The last time the file was opened

πŸ“ Example:\ An image was created on July 6 at 3:45 PM and was modified and accessed at the same time.

πŸ§ͺ Practical Experiment:

  1. Open an image using Paint

  2. Make a simple edit (e.g., draw a line)

  3. Save the image under a new name (copy)

  4. Compare the original and modified copies:

  5. The modified file loses most of its metadata

  6. The original image retains all EXIF data:

    • Phone type

    • Actual capture date

    • Camera settings

    • Software used to take the photo

⚠️ The modified copy is unreliable as digital evidence in court.

πŸ” Difference Between Regular Copy and Modified Copy

Action Metadata Forensic Validity
Direct copy (copy-paste) Metadata is preserved βœ… Acceptable
Edited in programs like Paint and saved EXIF metadata is lost ❌ Not acceptable as evidence

βš–οΈ Why This Matters in Court:

  • When a file is edited or opened with editing software (e.g., Paint, Photoshop):

  • System times are altered

  • Original metadata is lost

  • Important info like camera type and location is removed

βœ… Therefore, it’s essential to rely on the unaltered original file and analyze it directly.

🧠 Understanding β€œBy Default Copy” in Windows:

  • If you copy a file using:
Ctrl+C β†’ Ctrl+V

In most cases:

  • Metadata is not changed

  • The system block structure remains intact

However ⚠️ on the physical storage level:

  • The new file is stored in a different location on the disk

  • Block allocation and file pointer change

So:

  • From a surface level, the copy appears identical

  • But from a physical forensic perspective (e.g., forensic imaging), the file is considered different

πŸ§ͺ When Does This Matter?

If you need to:

  • Analyze physical disk blocks

  • Extract the original file location history

πŸ’‘ Then a regular copy is not enough, and you must use forensic acquisition tools such as:

  • FTK Imager

  • Autopsy

  • dd (in Linux)

βœ… Key Takeaways for Digital Forensic Investigators:

Point Details
Don’t use editing programs They delete metadata automatically
Rely on original copies They preserve timestamps and device info
Check Properties and EXIF To obtain accurate data
Don’t trust appearances only Investigate at the physical level when needed
Courts require accurate evidence So avoid altering files in any way