aside from a user clicking on an item, changing the access time; what other function could cause the access time to change without actually clicking on and viewing the item. This question mostly pertains to web cache or the thumbnails of images that rendered on a web page. Thanks in advance.
In order to save system resources, the updating of the Last Accessed date is disabled by default in Vista, Windows 7, and Windows 8.
So normally (in the default setup) nothing changes it.
In order to save system resources, the updating of the Last Accessed date is disabled by default in Vista, Windows 7, and Windows 8.
So normally (in the default setup) nothing changes it.
my understanding was that that setting only affects windows updating the last accessed date when a user accesses the file
that doesnt mean that another program couldnt change the entry
my understanding was that that setting only affects windows updating the last accessed date when a user accesses the file
that doesnt mean that another program couldnt change the entry
You're correct, other actions will cause it to change.
aside from a user clicking on an item, changing the access time; what other function could cause the access time to change without actually clicking on and viewing the item. This question mostly pertains to web cache or the thumbnails of images that rendered on a web page. Thanks in advance.
looks like a good opportunity for you to test things…honestly, the best way to go about this is to try things.
Thank you for the replies, I am new to this field and have my first CP case going to trial. I am expecting the defense to have this question. Just my luck to have my first exam go to trial and Im right out of SCERS.
Thank you for the replies, I am new to this field and have my first CP case going to trial. I am expecting the defense to have this question. Just my luck to have my first exam go to trial and Im right out of SCERS.
Well some things to consider
1. What version of Windows are you dealing with?
2. Did you create a timeline of system and user activity? You may be able to narrow down the range of the possible by showing what occurred around the time in question.
Its Windows XP SP3.
What I am mostly trying to do is determine if something else "could" have accessed all the cache thumbs. So far the only program on his machine third party is CCleaner which I have DL and ran it didn't change any access time on my computer when I ran an analysis. Also How can I verify someone didn't use a file changer. I did not find one installed. All of the times on the htmls and thumbs are really early in the morning as if its what he does while the wife is asleep.
The state told me when the wife found CP she took the laptop to a repair shop to have the HD removed so she could install a new HDD and keep the laptop. Shes angry of course; if I get asked how do you know the wife didnt pay the man to change the access times to a time that puts the computer in his hands, I want to be able to answer it. This is a question the state is worried about.
If the recording of access times is in fact turned on, then one would imagine that there are lots of things that might access the file.
e.g.
Malware scanning programs, File backup software, hard drive indexing and searching software, any software package that generates thumbnails of image files, etc..
a few things
Have you put together a timeline of activity that includes the times from the files found in webcache along with the webhistory?
Was his webhistory cleared?
Someone using a program to modify cache times, I would say, is unusual. You could have a look at prefetch files for the programs that have been run recently…say when she took the computer to the store
its tricky if they ask was the hard drive moved from one computer to another and the files placed on it. but then you could look at your timeline and look for things youd expect to see…ie general activity, event logs, internet history going on etc
i think it all comes down to a timeline if your relying on things youve found in web cache.
If you've got a copy of internet evidence finder (magnet forensics) i'd look through that; it has a timeline feature that you can potentially use to see what was happening online.
either way, you're saying that the wife found CP on the computer. I would think that the defense would be more inclined to ask about the files she found rather than the webcache (unless she was computer literate enough to go through cache). For a one off occurance in webcache its not unlikely that the defense would suggest that a) you cant put him behind the computer, b) a virus did it or c) he clicked a link or went to a regular website that may have had CP that made an automatic copy of the pictures and therefore does not constitute possession
I'm thinking a lot outloud here, but I usually dont rely on access times for files unless I've got other things (link files, or IE history file access in this case) to back the access up