Affect of applicati...
 
Notifications
Clear all

Affect of application on file access dates

12 Posts
4 Users
0 Likes
1,330 Views
(@nbeattie)
Posts: 26
Eminent Member
Topic starter
 

Does anyone know of a list or database of applications and their affect on the access date of a file ?

For example, if you use Sonic's Recordnow to burn a CD the access date of the files and folders being burned is amended.

If there is no such thing in existence, do we feel as a group that it is worthwhile setting up a project to document this information ?

 
Posted : 05/06/2005 11:25 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I did some searching and asking around…and for the most part, folks are confused.

An application accesses certain files…so therefore, the affect on the last access times of those files is that they will be updated.

Maybe I'm missing something, but I'm not sure that I see the applicability of what you suggest. Can you clarify what you're asking for a bit?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 06/06/2005 12:20 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Various processes will alter the last accessed attribute of files. Antivirus software for example.

Andy

 
Posted : 06/06/2005 2:23 pm
(@jonathan)
Posts: 878
Prominent Member
 

Even right clicking a file to see its properties will alter its last accessed date.

Lots of automated processes will change the access date/time.. anti virus scans, spyware scans, back up procedures, etc.

 
Posted : 06/06/2005 5:33 pm
(@nbeattie)
Posts: 26
Eminent Member
Topic starter
 

Sounds like I may be over-complicating this subject.

Let me put it another way.

A hard disk has numerous important files and folders which were accessed within a second of each other. We suspect that the data was burned to CD, but there are numerous other applications on the system such as virus scanner, Winzip clone, etc. The CD software has been used a number of times since and does not have a log file of any type, so we would need to work backwards.

Each application / process will amend the access dates in different ways. For example, asking the size of a folder will generally only change the access date of the folders and not the files. A file would only be amended if it was used to provide the Properties command.

It could be argued that, for example, an on demand scan of the folders was performed by the virus scanner. I know that an on demand scan by McAfee VirusScan Enterprise does not amend the date, so this question could be answered / discounted quite quickly.

So essentially what I was thinking about was the pattern of access that applications have which could be then be used to reduce the number of likely reasons for the access pattern.

I'm a newbie to this discipline, although I have worked in IT for a very long time and have used a similar process to work back through problems. Is my thinking wrong or just too complex ?

Many thanks.

Neil Beattie

 
Posted : 08/06/2005 9:44 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

nbeattie,

Each application / process will amend the access dates in different ways.

It depends on what you're talking about. By that, I mean, applications only "amend the [last] access dates" in one way…they update it to the current time when they access the object (file, directory) in question. That's it.

However, based on the rest of that paragraph, you seem to be differentiating between the objects that have their last access time updated, based on the application and what it does.

It could be argued that, for example, an on demand scan of the folders was performed by the virus scanner.

True. I'm not familiar the McAfee product that you mention (I've always used Symantec), but I would look further into that issue if I were you. Anti-virus products need to access the actual contents of the file stream in order to determine whether or not a virus is present. What the product *may be doing* is getting the MAC times, scanning the file, and then resetting the MAC times after it closes the file.

Another thing you can look at is the Application Event Log entries that pertain to the McAfee product. Many anti-virus products will automatically log their completed activity results to the Event Log.

So essentially what I was thinking about was the pattern of access that applications have which could be then be used to reduce the number of likely reasons for the access pattern.

Without some kind of logging mechanism, you won't know which files were accessed by which application, given the examples you've provided. If you know which files were burned to CD (and verified this via hashes computed against the original files on the hard drive, and the corresponding files on the CD), then you may have a chance. But it sounds like what you're trying to do is show that *any* file on the system was burned to CD at a particular time.

Is my thinking wrong or just too complex ?

No offense, but perhaps a little of both. Your original post seemed to indicate your belief that different applications modify the last access time of files in different ways, and then your second post goes into patterns of access date modifications.

It seems to me that there is something you're trying to prove…perhaps that certain files were burned to CD…but you're not sharing all relevant information. This could be because either (a) you don't feel comfortable sharing the relevant information, or (b) you don't know what the relevant information is. Either way, I think that if you could clearly state what your objective is, some of us here may be able to recommend courses of action for you. There are just too many things that you seem to be assuming as fact (that aren't facts) that are hindering your investigative process.

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 08/06/2005 12:33 pm
(@nbeattie)
Posts: 26
Eminent Member
Topic starter
 

Thanks for the reply.

No offence taken - as a respected member of the profession your advice is greatly received.

I would have been better detailing the issues in the first place as I'm sure other people will learn something as well :

I am looking into a case where someone is leaving a company and suspected of taking information from a server and passing it to their new employer.

Unfortunately the laptop has been used a few times since this issue came to light so I have lost some information such as the last time that IMAPI and some other applications were used. The laptop hard disk was also defragged before it was handed back.

There was a large quantitiy of data copied onto the laptop which was later deleted.

There was no INFO2 file showing the deletion date for the files but from analysing the System Restore Points in XP I am pretty sure that the files were deleted between two specifc dates.

Analysing the file information in FTK, I can see that around 20% of the files have access dates that are different from the original creation dates. These files can be grouped by date into 6 "sessions", where the majority of processing takes place within a number of seconds / minutes. I don't have all the data to hand, but I'm sure that the modified dates are all before the creation date.

With regards to 3 of the sets, there are corresponding entries in the My Recent Documents folder where I can see links to the folders and files. The creation and access dates for the shortcut files very are close together which would suggest that the files have been printed rather than opened. There are also other files in this folder that seem to mirror this behaviour.

With regards to the remaining sets, I know that RecordNow CD burning software was last accessed at a certain time (say 10:00) and that a processing session took place a few minutes later (10:05), then again around 10 minutes later (10:15).

Through analysing StreamMRU I can see that the Cd drive was accessed shortly after the second group was processed (10:20) and that two folders with the same name as folders from the laptop were opened.

Looking at two previous sessions, which contain some really "hot" data, I can see that the access dates are within a very short time period, there are no shortcuts (either live or deleted) and I can find no other information that would allow me to prove what happened.

I have done some testing with RecordNow to see what happens to the access dates of the files and folders when they are burned to CD and they produce a pattern where all files and folders that are selected have an access date within a short period of time.

I have also done the same with some other applications that are present on the laptop to try and establish a pattern and none match the way RecordNow works.

I have the info about the cd access and opening folders that existed on the laptop, but the legal people involved would like a bit more.

Am I going too far trying to do this ?

Any comments would be much appreciated.

Neil

 
Posted : 08/06/2005 3:19 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…as a respected member of the profession…

Huh? Respected by whom? Dude, I'm nobody…just some guy offering his opinion, for whatever that's worth.

…lost some information such as the last time that IMAPI and some other applications were used.

Perhaps not. You mentioned later that the laptop you're looking at is an XP system. Check in the Prefetch directory for .pf files that pertain to the applications in question. Most of the .pf file is just code pages, but the files also contain Unicode strings for file paths, etc. For example, the XP systems I have access to (home, work) have two copies of Notepad…one in the Windows dir, one in the system32 dir. When I run each of them, I can go into the associated .pf file and find the path to the particular instance, in Unicode.

So, that's a possibility. Another thing you may want to look at is the LastWrite times of Registry keys associated with applications in question. If the application modifies it's associated keys in any way, this will appear as updated LastWrite times on the keys.

The creation and access dates for the shortcut files very are close together which would suggest that the files have been printed rather than opened.

I'm not sure I follow this. I don't see how the proximity of the two dates on the shortcut files would indicate that the files were printed rather than opened.

Am I going too far trying to do this ?

I'm not sure, b/c I don't get a clear picture of what else the legal folks are asking for. Maybe it's in the presentation…maybe the picture just isn't clear to them.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 08/06/2005 4:08 pm
(@nbeattie)
Posts: 26
Eminent Member
Topic starter
 

Don't undersell yourself.

You spend the time to help out people like me who probably make you tear your hair out at times.

Been through prefetch and the registry already but couldn't find anything of relevance.

The creation and access dates for the shortcut files very are close together which would suggest that the files have been printed rather than opened.

What I meant by this is that there are shortcuts to documents being created within a few seconds of each other. Would the user really have time to open a document, close it down the open the next one within this time period ?

Neil

 
Posted : 08/06/2005 4:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Neil,

Like I said, at this point, it may simply be an issue of presentation…

Let me know if there's anything else I can help with…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 08/06/2005 5:48 pm
Page 1 / 2
Share: