Getting original file timestamps and dates back

M

Musicalls

Posts: 19   +0
Hi,
Im on Windows XP SP3. I have a number of recent movie files Ive been cataloging etc. A few weeks back I went and put a comment from Windows Explorer on some of those files and have just now realized its changed my "date modified" :( along with the accompanying time stamp. It is important to me to have this. Is there ANY way at all to get the original date modified & time stamp back?

Ive been searching this online and see there's quite a few people have been in a similar predicament but there's been no solutions so far that Ive seen. Theres plenty of apps that let you change the time and date, but theres no point changing them until I find out what they were.

Surely there must be 'something' under the hood that's accessible with the right know how??? Would REALLY appreciate any help on this.

Thanks, Jo
 
Yes, adding comments in the Properties of a file changes the Date Modified.
As I don't run the Indexing service, I can't tell if those comments are usable in searching; sigh.

It get back the timestamps, there are two techniques, both with heavy assumptions:
  1. replace the current file with another version using COPY (is there another?)
  2. or restore the file using RESTORE (from a backup)
 
Easy - download and install Free Commander http://www.freecommander.com/, in which you can easily view the creation date of any file, which I assume is the date you want to see. Using Free Commander, if you want to reset the modified date to that date you can do so - under the 'file' menu there is an entry 'attributes/timestamp' with which you can see (and change) all dates and times to your heart's content.

Having tried Free commander, you are very likely to standardise on it as a replacement for Windows Explorer, as have I and anybody who tries it usually does.

I do hope you realise that creation date, modified data and last accessed date are the ONLY stamps available under the NTFS file system. Under a server operating system, there are more sophisticated schemes and journaling is one - where every alteration to a file is separately recoverable - but that's not Windows.....
 
Thanks guys for your responses.

jobeard, unfortunately I put 'comments' into the files BEFORE I backed up.

gbhall,
Quote
"you can easily view the creation date of any file, which I assume is the date you want to see."

No, my create date is the same so theres no probs there. Just to reiterate whats in my 1st post....

Explorer on some of those files and have just now realized its changed my "date modified" along with the accompanying time stamp. It is important to me to have this. Is there ANY way at all to get the original date modified & time stamp back?

"I do hope you realise that creation date, modified data and last accessed date are the ONLY stamps available under the NTFS file system."

No I didnt realize that. If Im understanding you correctly, does that mean I have no way at all (other than backups) to retrieve the original date modified & time , or can freecommander get it back for me? As I said, I dont know what it was otherwise I could just punch it in with a number of utilities.

Thanks
Joanne
 
Yea, but I think he is looking for the first date modified, or at least the date modified prior to his most recent modification. Confusing.

I don't know - but gbhall's solution is probably the best you are going to get in terms of looking at the history of the file unless you want to pay for forensic software or something like that.
 
File system does not track timestamp of modification as a history; it's litterally the last TS of any write to the data.

Access TS is change even when you just access the Properties of the file to see the three timestamps :0
Tracking the Access TS is a major performance hit for NTFS and that's a reason that other filesystems do not track the metric.
 
Responses appreciated guys.

zilpha,
"but I think he is looking for the first date modified, or at least the date modified prior to his most recent modification. Confusing."

Ummm if youre meaning me, Im a she actually. . :) ...... and youre thinking right. I want the ORIGINAL, that is, the very first modification date. The only thing confusing is probably why I would want this as generally the 1st Create and Mod date and their accompanying timestamps would be typically the same. Not so when youre on dial-up and DLg a video file, which is in evidence by viewing the cache or tmp files.

Ha, I dont mind being the 'forensic technician' if someone has the know how to pass on...meaning, Im sure theres a lot of things we can do ourselves like go into the registry or execute some commands if we're careful.

jobeard, thanks for your comments on this. I'll be darn careful B4 I change anything in future.

Joanne
 
Musicalls said:
Ha, I dont mind being the 'forensic technician' if someone has the know how to pass on...meaning, Im sure theres a lot of things we can do ourselves like go into the registry or execute some commands if we're careful.
Click to expand...

Sorry, my comment stands. There is no way to recover any dates other than created and last modified.

Since each time you modify a file, a new copy is written, then the recycle bin may or may not contain the earlier version, from which the date/time can be seen. But it's all very hit and miss. In fact most editing software does not save earlier copies in the recycle bin, it only stores deleted files.

Where people are talking about 'forensic' they are referring to the fact that the re-write of the file that results from any edit process is usually (but again not always), written to a fresh location on your HDD, and the location is updated in the NTFS file index. So with highly specialised software, and at a cost of several 100 $,£ etc, it is possible to root around in apparently unused areas of your HDD and see those earlier copies and even recover some details.

It is something so specialised, there is only one comment I can make on it - forget it !!!
 
DOnt be sorry gb :) and thankyou for your comments.

It is what it is. I had to try and see if you wonderful knowledgeable types could give me a headsup either way and you have.

Interestingly, I just did some 'dry run tests' on my Mac (Leopard) and none of the following things change the mod date and time. Name change, Add colour label, Spotlight Comment, Copying and Moving to same directories as well as different partitions as well as different HDDs. Seems Apple has got it right here. Only change these timestamps if you edit the actual file.

Cheers
Joanne
 
I'm certainly not an expert in this area, but the reason OS X may not behave the same as Windows is that the default filesystem for OS X is "Mac OS Extended (journaled)", a journaled HFS+ file system. NTFS isn't journaled as gbhall pointed out in post #4.
 
SNGX1275, thanks for your comments.

Mmm Ive still got my Jaguar install tucked away, and it would be interesting to run the same tests on that. Im no expert either as you would have guessed, :) , but I Like to ask questions just the same. AFAIK journalling was possible from Panther on, and I know on Lep I can turn this on and off in Disk Utility.

In Windows I see in a files properties > Gen > Advanced > theres an option that says " for fast searching allow indexing service to index this file". Would this be similar to journalling or am I getting mixed up with something else??

Joanne
 
Joanne, indexing service has nothing to do with journalling.

The indexing service in Windows is a bit like Google search. It creates indexes of words in textual document types, and also a system-wide optimised list of file names.

http://en.wikipedia.org/wiki/Indexing_Service

It is something that seemed like a good idea at the time (c. 1998) but very, very few people have several millions of documents on their hard disks that they frequently want to search for text. Most people think it is a pointless exercise to have it running - and turn it off - as a brute force search of a HDD is almost always perfectly adequate.

It has it's dangers as well - this article is well worth a read http://www.theregister.co.uk/2007/05/10/tattletale_convenience/ and Musicalls, I'll hint that on page 4 there is something you might think is relevant to your original post !! (it isn't actually). BUT other parts of the article may be important to you - it depends on what is really behind your desire to know the first modified date of your files. Not that I want to know though.
 
Interesting reads, and thanks for your useful comments. I enjoyed the articles and Im looking forward to reading the swap file one as well.

I found this particularly interesting. I wondered when it was going to pop up about my old 'friend' the index.dat file. I get rid of the contents of these with CCleaner. It brasses me off that windoze rebuilds these at boot up. I also still have a little utility that actually reads these, but it tended to be a bit flakey so I havent used it for a while.

It sounds like you can write protect them so they cant be written to!

...therefore, I think these excerpts are worthy to be repeated...

Now for the bad news: even if you wipe these files, Windows will re-create them as soon as you reboot, and continue storing data in them. I recommend that you wipe each one, reboot, and then write-protect all of them. It's also important to search for them occasionally because Windows may create additional index.dat files as you use your machine....

All of the directories that Firefox and Mozilla use can be wiped easily and securely, or emptied and write-protected (about which there'll be more in a future column).

Once Firefox or Mozilla is installed and configured, you can destroy all of your index.dat files once, write-protect them when they are re-created after a reboot, and not worry about them in the future.
Click to expand...

Joanne
 
Whats the problem with index.dat files? (other than cluttering up things when you have show hidden and system files turned on).
 
Whats wrong with them??? Nothing if you dont mind Billyware knowing what your movements are. You may not value your privacy but I do and so do many others. Might I add that just because I value these things, doesnt mean Im hiding something I shouldnt. Its more the principle of covert underlying files that your typical Jo Bloggs knows nothing about. Apple is no better with their 'secret files' and phoning home apps that DONT NEED TO PHONE HOME!.

Besides all this.... I like to know whats going on under the hood, and I DONT like secret spy files. Dont get me started on Windoze notification tool, which I wont have a bar of. As far as hidden files go, well I find it very helpful to see what all the 'clutter is about' at times.

May I suggest you read the link that Gb put up. It is excellent.

Joanne
 
You must log in or register to reply here.

Similar threads

midian182
Missing for 50 years, the original Star Trek Enterprise model may have appeared on eBay
Replies
3
Views
271
arrowflash
A
Shawn Knight
Atari's 2600+ is a rebooted version of the original console that can play 2600 and 7800...
Replies
3
Views
384
ZedRM
ZedRM
midian182
Paradox Interactive reveals new release date, developer, and trailer for Vampire: The...
Replies
4
Views
297
return
return

Latest posts

Back