±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36228
New Yesterday: 5 Visitors: 253

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows' File Access Dates Unreliable

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

JHassell
Newbie
 

Windows' File Access Dates Unreliable

Post Posted: Oct 20, 19 23:25

I have a case in which I need to discuss the unreliability of Access dates. I know a lot and have done lost of experimenting, but I would like articles from others on how the access dates are (mis)managed. Can anyone point me to and such articles? I know they exist, but Google, Forensic Focus, The Sedona Conference haven't revealed anything helpful. Thanks!  
 
  

tracedf
Senior Member
 

Re: Windows' File Access Dates Unreliable

Post Posted: Oct 21, 19 02:40

 
  

athulin
Senior Member
 

Re: Windows' File Access Dates Unreliable

Post Posted: Oct 21, 19 06:13

- JHassell
I have a case in which I need to discuss the unreliability of Access dates. I know a lot and have done lost of experimenting, but I would like articles from others on how the access dates are (mis)managed.


It would help if you identified hat kind of unreliability you are looking for, and what kind of quality in the article you expect.

I don't know of any unreliability in last access time stamp myself. There is misinterpretation and inconsistencies, some of which are identified by the already posted references. There's also a considerable reluctance to perform well-designed tests, and to repeat them when new releases of the software platform are released, to ensure the conclusions from those tests still are valid, as well as report the results from such tests in appropriate forums. (Understandable: most FA:s are not trained researchers.)

The last serious study I've seen is 'Rules of time on NTFS file system', but that applies to XP SP 2, and it can only be used for those use cases that they document (if it can be used at all). After that, all I have are blog posts, and they must generally be ignored from a critical point of view: there is no quality assurance inherent in a blog post, so no important conclusions can be based on them. They may be starting points for further research but they are not (as a rule) where you find reliable conclusions.

Where did you search? Did you do a *real* literature search, or did you just Google? I mean ... did you go to Science Citation Indexes and comparable references, and look for articles that reference known publications, such as Rules of Time and other?

If you did do all that, that is itself a result. The conclusion from it would presumably be 'Last Access Time is nowhere as well researched and tested as it need to be to draw any scientifically well-founded conclusions from it.' As it happens, that's more or less what I think of as many of the basic areas of computer forensics, so I probably biased in that respect.

It should be noted that the 'truth' of time stamping is available. You license Windows (or perhaps only NTFS) source code -- at a price, of course, unless Microsoft can be convinced that the use won't infringe on their commercial prerogatives. Then you study the code, and see when and where and how time stamps stamp. (You may need to do that for several releases to explain observed differences.) It's such a comparatively simple (though expensive) task that it's difficult to understand why it has not been done already. I mean, file system time stamps *are* pretty fundamental to computer forensics, aren't they?  
 
  

maysr
Newbie
 

Re: Windows' File Access Dates Unreliable

Post Posted: Nov 06, 19 18:11

It depends on which version of Windows you are examining, and which file system.

As of Vista, Microsoft by default disables the updating of the Last Access timestamp. This was done a to improve performance (the fewer writes that are made to the hard drive, the faster the system performs).

You can verify this by looking at the SYSTEM registry hive:

%systemroot%\system32\config\system ControlSet00#\Control\Filesystem NtfsDisableLastAccessUpdate. If set to 1, then the Last Accessed timestamps will not be updated.  
 
  

thefuf
Senior Member
 

Re: Windows' File Access Dates Unreliable

Post Posted: Nov 06, 19 19:51

- maysr
It depends on which version of Windows you are examining, and which file system.

As of Vista, Microsoft by default disables the updating of the Last Access timestamp. This was done a to improve performance (the fewer writes that are made to the hard drive, the faster the system performs).

You can verify this by looking at the SYSTEM registry hive:

%systemroot%\system32\config\system ControlSet00#\Control\Filesystem NtfsDisableLastAccessUpdate. If set to 1, then the Last Accessed timestamps will not be updated.


Actually, the last access updates are back for some installations of recent versions of Windows 10. And in the next release, they will be enabled by default in all installations (if Insider Preview versions don't lie).  
 
  

JHassell
Newbie
 

Re: Windows' File Access Dates Unreliable

Post Posted: Nov 07, 19 00:43

Thanks to all. I'd been thinking about a general discussion, but I think going after the specific version will be better. Obviously there could have been other versions on the device, but I should be able to deal with that.

Thanks again,
Johnette  
 

Page 1 of 1