Thursday, February 2, 2017

Funny Mac behavior with fat32 volume label mod dates #dfir

Recently I had to do some testing to see what causes the modified date for a  fat32 volume label to get changed. It has been understood for as long as i can remember that the modified date for a volume name is set when you format your thumb-drive or hard disk partition.
So I did some testing and my testing shows that MacOS doesn’t follow the rules! In fact any time I plugged a fat32 thumb-drive in to a Mac running 8.5 or later the modification date for the Volume Label was modified. You say what? Yup, I was able to reproduce this behavior all the way up to the latest iteration of MacOS, Sierra I right now I think. It’s important to state that date only changes if the FAT32 volume has a volume name set. If it’s the default fat32 name the date will not change!

Testing has shown that each time the FAT32 thumb-drive with a volume label set is plugged in to the Mac the value gets changed by MacOS to the current datetime.

*For background on fat32 volume serial numbers and date time verification Digital Discovery has this paper “Volume Serial Numbers and Format Date/Time Verification” last updated in 2005.

Why is this happening? Well, from my investigations in to the log file it appears the fat32 driver may be parsing the modification date incorrectly and causing the kernel driver to set a new date that it thinks is valid.
This can have some fairly significant implications for you investigations related to fat32 formatted devices if they have MacOS artifacts. Once again, the important caveat to what I just told you is that this only happens when there is a volume label set. So if fat32 is NO NAME then you shouldn’t see the date change. Please test and let me know if you have any additional findings!
Happy hunting!

by Dave via EasyMetaData