Hello everyone,
I am working on an external hard drive. Looking at the sticker and researching the model leads me to believe the drive was manufactured in 2017. The System Volume Information folder has creation and last mod times from November 2019. Does this tell me that the drive was formatted at that time? (Nov 2019)
I would use more of the other system files such as the creation date of $MFT, etc. AFAIK, the System Volume Information is more for Volume Shadow Copy/Indexing use.
I agree with, Ed! In my experience, most recent NTFS-formatted external drives don’t ship with a “System Volume Information” folder. Instead, the folder is created when the end-user first plugs the drive into a computer.
So, the creation timestamp of the System Volume Information folder might reflect the time of first use if the drive wasn’t formatted after the fact. Another useful indicator is the absence or presence of factory-loaded software such as the manual, backup tools, etc. If such files are present and match those found on another control drive of the same specs by hash, this might be supporting evidence that the drive was likely not formatted as those files would be wiped during a format, and most end users typically wouldn’t put them back after a format.
As for the creation time of the volume, you can mount the device or its forensic image in X-Ways and sort all the items on the drive chronologically. Alternatively, you can use something along the lines of volumeinfo by grawity which queries the volume creation timestamp for NTFS volumes using the ZwQueryVolumeInformationFile function. I would expect this to produce the same result as what you see in X-Ways.
Finally, here is a quick suggestion to do further testing.
The above should help explain what you are seeing on the suspect drive. Good luck 