Re: [OpenAFS] Accuracy of timestamps in AFS files.

Sat, 19 Apr 2008 10:24:24 -0700 

Finke, Jon E wrote:

I will be giving a deposition involving some intellectual property
issues in the near future, and some of my work is being considered as
prior art.  One of the ways we are determining "when" I wrote things
will be based on the last changed dates of the files.   Our AFS cell
dates back to the early 90s (which is when I got my AFS admin
certification.)


The question may arise, is how easy is it to "fake" these file system
time stamps - do they come from the AFS client or from the AFS file
servers?  Off hand I could see setting the date way back on a Unix host
(not an AFS client), writing out some files, making a tarfile of the
result, and then untarring it on an AFS client would produce
appropriately "faked" timestamps.   Are there other indicators (volume
time stamps, etc) that would detect that forgery attempt?


Although I am an AFS admin, I am not the primary administrator of our
cell, that role has been handled by others.


I am quite confident that we do not have viable backups of the cell
going back 10 years (even if we have the media, we may not have a drive
to read it).  There are secondary indicators of dates (papers published,
newsletter articles, etc) that would indicate that we were indeed
working on the projects demonstrated by the file system timestamps.


This being my first in depth exposure to the federal courts, I am
uncertain of the evidentiary value of computer files - I have files on
my laptop with dates in the 90s, yet the laptop was manufactured in
2007....


Well, if my test is correct, then tweaking file dates is trivial:
jason:~/afs jwedgeco$ ls -l file ls: file: No such file or directory 
jason:~/afs jwedgeco$ touch file
jason:~/afs jwedgeco$ ls -l file
-rw-rw-rw-   1 11544  jwedgeco  0 Apr 19 13:11 file
jason:~/afs jwedgeco$ man touch
jason:~/afs jwedgeco$ touch -t 19900102030405 file
touch: out of range or illegal time specification: [[CC]YY]MMDDhhmm[.SS]
jason:~/afs jwedgeco$ touch -t 199001020304 file
jason:~/afs jwedgeco$ ls -l file
-rw-rw-rw-   1 11544  jwedgeco  0 Jan  2  1990 file
jason:~/afs jwedgeco$ stat file
738197510 500158954 -rw-rw-rw- 1 (11544) jwedgeco 1 0 "Jan 2 03:04:00 1990" "Jan 2 03:04:00 1990" "Jan 2 03:04:00 1990" 4096 2 0 file 
jason:~/afs jwedgeco$

Run on a Mac with AFS 1.4.7pre3 and normal user tokens.

Jason

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to