[OpenAFS] Accuracy of timestamps in AFS files.

Jason Edgecombe jason@rampaginggeek.com
Sat, 19 Apr 2008 13:23:08 -0400 

Finke, Jon E wrote:
> I will be giving a deposition involving some intellectual property
> issues in the near future, and some of my work is being considered as
> prior art.  One of the ways we are determining "when" I wrote things
> will be based on the last changed dates of the files.   Our AFS cell
> dates back to the early 90s (which is when I got my AFS admin
> certification.)
>
>  
>
> The question may arise, is how easy is it to "fake" these file system
> time stamps - do they come from the AFS client or from the AFS file
> servers?  Off hand I could see setting the date way back on a Unix host
> (not an AFS client), writing out some files, making a tarfile of the
> result, and then untarring it on an AFS client would produce
> appropriately "faked" timestamps.   Are there other indicators (volume
> time stamps, etc) that would detect that forgery attempt?
>
>  
>
> Although I am an AFS admin, I am not the primary administrator of our
> cell, that role has been handled by others.
>
>  
>
> I am quite confident that we do not have viable backups of the cell
> going back 10 years (even if we have the media, we may not have a drive
> to read it).  There are secondary indicators of dates (papers published,
> newsletter articles, etc) that would indicate that we were indeed
> working on the projects demonstrated by the file system timestamps.
>
>  
>
> This being my first in depth exposure to the federal courts, I am
> uncertain of the evidentiary value of computer files - I have files on
> my laptop with dates in the 90s, yet the laptop was manufactured in
> 2007....
>
>  
Well, if my test is correct, then tweaking file dates is trivial:

jason:~/afs jwedgeco$ ls -l file 
ls: file: No such file or directory
jason:~/afs jwedgeco$ touch file
jason:~/afs jwedgeco$ ls -l file
-rw-rw-rw-   1 11544  jwedgeco  0 Apr 19 13:11 file
jason:~/afs jwedgeco$ man touch
jason:~/afs jwedgeco$ touch -t 19900102030405 file
touch: out of range or illegal time specification: [[CC]YY]MMDDhhmm[.SS]
jason:~/afs jwedgeco$ touch -t 199001020304 file
jason:~/afs jwedgeco$ ls -l file
-rw-rw-rw-   1 11544  jwedgeco  0 Jan  2  1990 file
jason:~/afs jwedgeco$ stat file
738197510 500158954 -rw-rw-rw- 1 (11544) jwedgeco 1 0 "Jan  2 03:04:00 
1990" "Jan  2 03:04:00 1990" "Jan  2 03:04:00 1990" 4096 2 0 file
jason:~/afs jwedgeco$

Run on a Mac with AFS 1.4.7pre3 and normal user tokens.

Jason