Accessed Time Earli...
 
Notifications
Clear all

Accessed Time Earlier than Created Time

6 Posts
4 Users
0 Likes
1,068 Views
(@awilder)
Posts: 1
New Member
Topic starter
 

I have several JPG files that are in a user's Download folder, PC running Windows 10. They appear to have been downloaded from the web using Google Chrome. All of the files show an Access time that is about 3 seconds prior to the Creation and Modified time. Can anyone advise what would cause this?

Thanks!

 
Posted : 12/05/2020 1:43 am
(@the_df_guy)
Posts: 4
New Member
 

Last Accessed times in Windows 10 are unreliable as the way they are updated have changed significantly in recent years. For example Anti-Virus can update Last Accessed time stamps (I'm not saying this is the case here, I don't know enough about the case).

If you need to prove access, try looking at Prefetch, Lnk files, JumpLists etc. These are excellent sources of 'User file knowledge'.

Also on a side note, I don't know how you know these files where downloaded from chrome but try and analyse the Alternate Data Streams (ADS) of the files. If you have a Zone.Identifer = 3 that is a file that has been downloaded from the internet, you may also get the URL from which the file was downloaded.

I hope this helps.

 
Posted : 12/05/2020 2:56 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

The modified time is (usually) the time that the download finished, and I would often expect this to be later than the accessed time, which is usually set on creation and not updated.

There is a registry key, that if turned on allows accessed timestamp to be updated but, AFAIK, this is off by default.

Note, these are all generalisations and the specific machine you are examining may be set up differently.

There are a couple of things that might be able to help you here

The Chrome download records, when do they say that the file was downloaded (start/end time) and does this match the timestamps you have?

USN journal - can you see when the file was first created on the system. It may have been named something different to its current name while it was being download, so use the File Reference (union of MFT number and sequence number) to find all the history for this file.

Check the second set of timestamps in the MFT to see if these differ from the ones you are seeing. It will be in the Filename info (attribute 0x30 00 00 00) for that file. In X-Ways, it displays as created date 2, modified date 2 etc.

Might also be worth verifying the accessed timestamp yourself in the MFT, just in case there is an error in interpreting it.

Lastly, if this is in a folder that syncs from other devices it may be caused by the difference in time it takes to sync the data.

 
Posted : 13/05/2020 6:08 am
(@thefuf)
Posts: 262
Reputable Member
 

There is a registry key, that if turned on allows accessed timestamp to be updated but, AFAIK, this is off by default.

No.

 
Posted : 13/05/2020 11:13 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

There is a registry key, that if turned on allows accessed timestamp to be updated but, AFAIK, this is off by default.

No.

Interesting article, hadn't realised there had been a change.
I've just looked at my investigation machine, which is 1809 (Nov 2018)
Mine is set to "0x80000003 System Managed, the “Last Access” updates are disabled" and hasn't been changed from default.

Might do some testing to see if I can get it to update access times, but seems unlikely based on the "volume smaller than 128GiB".

I guess a lot of device will have a larger main volume than 128GiB, though a few smaller netbooks and the like will possibly still be viable for the Access time update.

 
Posted : 13/05/2020 1:41 pm
(@thefuf)
Posts: 262
Reputable Member
 

There is a registry key, that if turned on allows accessed timestamp to be updated but, AFAIK, this is off by default.

No.

Interesting article, hadn't realised there had been a change.
I've just looked at my investigation machine, which is 1809 (Nov 2018)
Mine is set to "0x80000003 System Managed, the “Last Access” updates are disabled" and hasn't been changed from default.

Might do some testing to see if I can get it to update access times, but seems unlikely based on the "volume smaller than 128GiB".

I guess a lot of device will have a larger main volume than 128GiB, though a few smaller netbooks and the like will possibly still be viable for the Access time update.

Just wait for the next update (20H1). You will have this enabled regardless of the system volume size.

 
Posted : 13/05/2020 3:34 pm
Share: