Last Accessed -- Wi...
 
Notifications
Clear all

Last Accessed -- Win7

9 Posts
6 Users
0 Likes
476 Views
(@jimgill)
Posts: 2
New Member
Topic starter
 

By default Win7 (and Vista) don't update the Last Accessed date/time stamp when one views a picture or opens a file.

How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?

 
Posted : 27/02/2013 4:04 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

.lnk files, registry MRU's immediately come to mind.

Depending on what software you are using you may be able to recover deleted copies of the picture that were previously in different locations (may indicate copy/paste type behaviour showing they were at the very least dealt with in some manner)

 
Posted : 27/02/2013 5:22 am
(@jimgill)
Posts: 2
New Member
Topic starter
 

Thanks, Adam. I see that the MRU listings are numeric. What software would you suggest to search the Registry for the file names?

The lnk files work oddly. It appears as though there's a limit to how long or how many of them stick around in the Recent folder. Plus, I just tested opening some jpg files with Windows Explorer and no lnk files were created.

 
Posted : 27/02/2013 12:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?

As mentioned, LNK files are a possibility.

Jump Lists are a pretty big one.

*Where* the data appears can depend a great deal on how the image was viewed…with which application. Like I said, Jump Lists are a big one, and new to Win7, and specific to both the user and the application (via the AppId).

One of the things that generally doesn't help to say is "the MRU keys", because there are many.

Do you know the extension of the image file in question? How about the graphics viewers on the system? Any indication of the file name beneath the ComDlg32 key in the user's hive?

 
Posted : 27/02/2013 6:09 pm
(@twjolson)
Posts: 417
Honorable Member
 

Internet History is a good one as well.

 
Posted : 27/02/2013 7:20 pm
(@randomaccess)
Posts: 385
Reputable Member
 

Jump Lists are a pretty big one.

To reiterate I would check the file extension in the registry and determine the default viewing program, then using Mark Woan's jumplister have a look if a jumplist for that appid exists.

If the file isnt in that jumplist (or the jumplist doesnt exist) then I'd start exploring other appid's

 
Posted : 28/02/2013 4:07 am
(@fuzed)
Posts: 93
Trusted Member
 

I normally look at the file access history stored within the user area 'ntuser.dat' file - some refer to it as the internet history.

also look at thumbcache db files within the folders that the images might have been stored in, if there are thumbnails in the folders then it could be argued that the images were viewed in windows explorer 'image view'.

As others have said MRU, LNK files are worth looking at.

 
Posted : 28/02/2013 2:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I normally look at the file access history stored within the user area 'ntuser.dat' file - some refer to it as the internet history.

Can you provide a key or path to where you look? I'm sorry, but I'm unfamiliar with where "internet history" is kept in the NTUSER.DAT hive. Thanks.

 
Posted : 28/02/2013 5:14 pm
(@fuzed)
Posts: 93
Trusted Member
 

ignore that… having a blonde moment!

user area holds the history records… an they are within the index.dat files, you'll see 'file//'and the file path to the file accessed using Windows explorer.

 
Posted : 28/02/2013 9:24 pm
Share: