In digital forensics, analyzing timestamps can provide valuable insights into the timeline of events and help reconstruct a digital crime scene. This article focuses on macOS forensics and delves into the analysis of timestamps using a real-world example.

By examining the metadata of a file, specifically the “icon.png.webp” file, we will explore various timestamps and their significance in forensic investigations.

Example

Let’s start by analyzing the metadata of the “icon.png.webp” file using the “mdls” command in macOS, generally located in /usr/bin/mdls.

The mdls command prints the values of all the metadata attributes associated with the files provided as an argument.

https://ss64.com/osx/mdls.html

[~/Desktop]$ mdls icon.png.webp
_kMDItemDisplayNameWithExtensions      = "icon.png.webp"
kMDItemBitsPerSample                   = 24
kMDItemColorSpace                      = "RGB"
kMDItemContentCreationDate             = 2021-08-20 07:42:37 +0000
kMDItemContentCreationDate_Ranking     = 2021-08-20 00:00:00 +0000
kMDItemContentModificationDate         = 2021-08-20 07:42:37 +0000
kMDItemContentModificationDate_Ranking = 2021-08-20 00:00:00 +0000
kMDItemContentType                     = "org.webmproject.webp"
kMDItemContentTypeTree                 = (
    "org.webmproject.webp",
    "public.image",
    "public.data",
    "public.item",
    "public.content"
)
kMDItemDateAdded                       = 2021-08-20 07:42:37 +0000
kMDItemDateAdded_Ranking               = 2021-08-20 00:00:00 +0000
kMDItemDisplayName                     = "icon.png.webp"
kMDItemDocumentIdentifier              = 0
kMDItemDownloadedDate                  = (
    "2021-08-20 07:42:37 +0000"
)
kMDItemFSContentChangeDate             = 2021-08-20 07:42:37 +0000
kMDItemFSCreationDate                  = 2021-08-20 07:42:37 +0000
kMDItemFSCreatorCode                   = ""
kMDItemFSFinderFlags                   = 0
kMDItemFSHasCustomIcon                 = (null)
kMDItemFSInvisible                     = 0
kMDItemFSIsExtensionHidden             = 0
kMDItemFSIsStationery                  = (null)
kMDItemFSLabel                         = 0
kMDItemFSName                          = "icon.png.webp"
kMDItemFSNodeCount                     = (null)
kMDItemFSOwnerGroupID                  = 589967514
kMDItemFSOwnerUserID                   = 1998485974
kMDItemFSSize                          = 76936
kMDItemFSTypeCode                      = ""
kMDItemHasAlphaChannel                 = 0
kMDItemInterestingDate_Ranking         = 2021-08-20 00:00:00 +0000
kMDItemKind                            = "WebP Image"
kMDItemLastUsedDate                    = 2021-08-20 07:42:37 +0000
kMDItemLastUsedDate_Ranking            = 2021-08-20 00:00:00 +0000
kMDItemLogicalSize                     = 76936
kMDItemOrientation                     = 0
kMDItemPhysicalSize                    = 77824
kMDItemPixelCount                      = 589824
kMDItemPixelHeight                     = 768
kMDItemPixelWidth                      = 768
kMDItemUseCount                        = 2
kMDItemUsedDates                       = (
    "2021-08-19 22:00:00 +0000"
)
kMDItemWhereFroms                      = (
    "https://www.albertopasca.it/dummy.png"
)
[~/Desktop]$

Analysis of Timestamps

1. Content Creation Date: The “kMDItemContentCreationDate” timestamp indicates when the file was originally created or captured. In our example, it is “2021-08-20 07:42:37 +0000.”
2. Content Modification Date: The “kMDItemContentModificationDate” timestamp denotes the last modification made to the file. In this case, it matches the creation date.
3. Date Added: The “kMDItemDateAdded” timestamp represents when the file was added to the system. It can help determine when the file entered the user’s possession.
4. Last Used Date: The “kMDItemLastUsedDate” indicates the most recent access or usage of the file. It can be useful in determining file activity.
5. Downloaded Date: The “kMDItemDownloadedDate” timestamp specifies when the file was downloaded, providing insights into its origin.
6. File System Creation Date: The “kMDItemFSCreationDate” records the creation date of the file within the file system.
7. File System Content Change Date: The “kMDItemFSContentChangeDate” signifies the date when the file’s content was last modified within the file system.
8. Other Timestamps: Additional timestamps, such as “kMDItemInterestingDate_Ranking” and “kMDItemUsedDates,” may provide further context about the file’s significance or usage patterns.

Forensic Significance

Analyzing timestamps is crucial in forensic investigations. By examining the timestamps of a file, investigators can establish timelines, reconstruct events, determine file provenance, and identify suspicious or anomalous activities. Timestamp analysis plays a vital role in uncovering evidence and providing crucial information in digital forensics cases.

# Extracting EXIF info from image using Preview app

Open you image with Preview and press CMD+I, a new panel will be opened. You can find here, in READ-ONLY, all the EXIF informations about your image:

Conclusion

Timestamp analysis is a fundamental aspect of macOS forensics. In this article, we explored the various timestamps associated with a file, “icon.png.webp,” and discussed their significance in forensic investigations. By leveraging these timestamps, digital forensic examiners can reconstruct events, establish timelines, and uncover valuable evidence. Understanding the depths of timestamp analysis empowers investigators to extract meaningful insights and contribute to the field of digital forensics.

References:

Apple Developer Documentation: Metadata Attributes

Note: The example provided in this article is for illustrative purposes only. In a real forensic investigation, multiple files, timestamps, and other artifacts would be analyzed to build a comprehensive timeline of events.