Can someone know who created a cpp file?

Question

I know that one can see the modification, access, and creation date of a file on Windows. And that the creation date, as well as other dates, can be modified at will. I just wonder if it is possible to forensically determine who created a file?

For example, is it possible to find out which DESKTOP_NAME created a .txt or a .cpp file even if it was transferred from other PCs?

HOST @JosephSible-ReinstateMonica what do you get when you put hostname to cmd prompt ? — turmuka, Dec 27 '20 at 02:48
when you dislike a question plz help me improve it by stating something, not out of hatred — turmuka, Dec 29 '20 at 05:49

score 4 · Answer 1 · answered Dec 27 '20 at 20:55

4

No. Plain text files only include the plain text, and no further metadata. Only the file system records metadata about the file, and as you've seen, it can be easily forged.

However, further analysis of the file system or related systems may yield useful information. For example, if the file is stored on a network drive, it may be possible to look at log files, e.g. if Windows' “auditing” feature was enabled for the shared folder. It may also be possible for a forensic analysis to view old versions of file metadata when a journaling file system such as NTFS is used.

But all of these approaches only relate to metadata on one file system. Only file contents (not metadata) are copied when a file is copied from another file system, e.g. when a file is copied from a thumb drive.

answered Dec 27 '20 at 20:55

amon

1,068
7
9

"Plain text files only include the plain text, and no further metadata." => generally wrong. Windows saves a lot of metadata with each file, including, but not limited to, owner and permissions. Alternate data streams are also present sometimes. – fraxinus Dec 28 '20 at 14:10
1

@fraxinus Yes, as discussed in the next sentence: “the file system records metadata”. This content vs FS-metadata distinction is important for OP to understand, especially since some file formats (like .docx or .pdf) do include a lot metadata within the file contents (which is what likely inspired OP to ask this question). An answer discussing ADS would be interesting though, especially if ADS are maintained when copying a file from a different computer. – amon Dec 28 '20 at 14:19
1

Yes, ADS are maintained between compatible filesystems (i.e. CIFS and NTFS). You get an explicit warning when trying to copy a file with ADS to FAT filesystem. – fraxinus Dec 28 '20 at 14:25

score 3 · Answer 2 · answered Dec 28 '20 at 14:23

Depending on the method used to transfer the file between PCs, it is possible that the filesystem still keeps the "owner" attribute of the file, as well as its other permission attributes.

There can also be "alternate data streams" attached to the file that some code and content management systems use.

These may be used to deduce the authorship.

Depending on other circumstances (like security policies imposed using Active Directory), these attributes may or may not be modified at will.

Some methods of transferring a file (like recording it on an external media or sending it by email) completely erase all these clues.

You may or may not have luck.

Can someone know who created a cpp file?

2 Answers2