SecureArtisan

My Road to Digital Forensics Excellence

NTBackup and BKF Files

Posted by Paul Bobby on November 4, 2008

A case I’m working brought up the question of .BKF formatted data on tape and the possibility of analysis.

.BKF is the format created by Windows Backup, it’s essentially a TAR file, and can be restored using Windows Backup. The contents can then be thrown in to a Logical Evidence File.

For restored data, the following timestamps apply:

FOR FILES

  1. File Created and Last Written remains the same
  2. Last Accessed and Entry Modified are changed to the time they were restored
  3. The Archive bit is set on the restored files
  4. The Hash values are the same

FOR FOLDERS

  1. File Created remains the same
  2. Last Accessed, Entry Modified and Last Written are changed to the time they were restored
  3. The Hash values are different

Caveat: ‘changed to the time they were restored’ is not one specific time, the process of restoration may take some time and so these values are at the time a specific action was made, not the overall restoration time of the entire backup.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: