In digital forensics, analyzing timestamps can provide valuable insights into the timeline of events and help reconstruct a digital crime scene. This article focuses on macOS forensics and delves into the analysis of timestamps using a real-world example.
By examining the metadata of a file, specifically the “icon.png.webp” file, we will explore various timestamps and their significance in forensic investigations.
Let’s start by analyzing the metadata of the “icon.png.webp” file using the “
mdls” command in macOS, generally located in
The mdls command prints the values of all the metadata attributes associated with the files provided as an argument.
[~/Desktop]$ mdls icon.png.webp _kMDItemDisplayNameWithExtensions = "icon.png.webp" kMDItemBitsPerSample = 24 kMDItemColorSpace = "RGB" kMDItemContentCreationDate = 2021-08-20 07:42:37 +0000 kMDItemContentCreationDate_Ranking = 2021-08-20 00:00:00 +0000 kMDItemContentModificationDate = 2021-08-20 07:42:37 +0000 kMDItemContentModificationDate_Ranking = 2021-08-20 00:00:00 +0000 kMDItemContentType = "org.webmproject.webp" kMDItemContentTypeTree = ( "org.webmproject.webp", "public.image", "public.data", "public.item", "public.content" ) kMDItemDateAdded = 2021-08-20 07:42:37 +0000 kMDItemDateAdded_Ranking = 2021-08-20 00:00:00 +0000 kMDItemDisplayName = "icon.png.webp" kMDItemDocumentIdentifier = 0 kMDItemDownloadedDate = ( "2021-08-20 07:42:37 +0000" ) kMDItemFSContentChangeDate = 2021-08-20 07:42:37 +0000 kMDItemFSCreationDate = 2021-08-20 07:42:37 +0000 kMDItemFSCreatorCode = "" kMDItemFSFinderFlags = 0 kMDItemFSHasCustomIcon = (null) kMDItemFSInvisible = 0 kMDItemFSIsExtensionHidden = 0 kMDItemFSIsStationery = (null) kMDItemFSLabel = 0 kMDItemFSName = "icon.png.webp" kMDItemFSNodeCount = (null) kMDItemFSOwnerGroupID = 589967514 kMDItemFSOwnerUserID = 1998485974 kMDItemFSSize = 76936 kMDItemFSTypeCode = "" kMDItemHasAlphaChannel = 0 kMDItemInterestingDate_Ranking = 2021-08-20 00:00:00 +0000 kMDItemKind = "WebP Image" kMDItemLastUsedDate = 2021-08-20 07:42:37 +0000 kMDItemLastUsedDate_Ranking = 2021-08-20 00:00:00 +0000 kMDItemLogicalSize = 76936 kMDItemOrientation = 0 kMDItemPhysicalSize = 77824 kMDItemPixelCount = 589824 kMDItemPixelHeight = 768 kMDItemPixelWidth = 768 kMDItemUseCount = 2 kMDItemUsedDates = ( "2021-08-19 22:00:00 +0000" ) kMDItemWhereFroms = ( "https://www.albertopasca.it/dummy.png" ) [~/Desktop]$
Analysis of Timestamps
- Content Creation Date: The “kMDItemContentCreationDate” timestamp indicates when the file was originally created or captured. In our example, it is “2021-08-20 07:42:37 +0000.”
- Content Modification Date: The “kMDItemContentModificationDate” timestamp denotes the last modification made to the file. In this case, it matches the creation date.
- Date Added: The “kMDItemDateAdded” timestamp represents when the file was added to the system. It can help determine when the file entered the user’s possession.
- Last Used Date: The “kMDItemLastUsedDate” indicates the most recent access or usage of the file. It can be useful in determining file activity.
- Downloaded Date: The “kMDItemDownloadedDate” timestamp specifies when the file was downloaded, providing insights into its origin.
- File System Creation Date: The “kMDItemFSCreationDate” records the creation date of the file within the file system.
- File System Content Change Date: The “kMDItemFSContentChangeDate” signifies the date when the file’s content was last modified within the file system.
- Other Timestamps: Additional timestamps, such as “kMDItemInterestingDate_Ranking” and “kMDItemUsedDates,” may provide further context about the file’s significance or usage patterns.
Analyzing timestamps is crucial in forensic investigations. By examining the timestamps of a file, investigators can establish timelines, reconstruct events, determine file provenance, and identify suspicious or anomalous activities. Timestamp analysis plays a vital role in uncovering evidence and providing crucial information in digital forensics cases.
# Extracting EXIF info from image using Preview app
Open you image with Preview and press
CMD+I, a new panel will be opened. You can find here, in READ-ONLY, all the EXIF informations about your image:
Timestamp analysis is a fundamental aspect of macOS forensics. In this article, we explored the various timestamps associated with a file, “icon.png.webp,” and discussed their significance in forensic investigations. By leveraging these timestamps, digital forensic examiners can reconstruct events, establish timelines, and uncover valuable evidence. Understanding the depths of timestamp analysis empowers investigators to extract meaningful insights and contribute to the field of digital forensics.
Apple Developer Documentation: Metadata Attributes
Note: The example provided in this article is for illustrative purposes only. In a real forensic investigation, multiple files, timestamps, and other artifacts would be analyzed to build a comprehensive timeline of events.