In encase, do we use the entry modified date or last accessed date for the deletion?
The only place Windows logs a deletion date is in the INFO2 file in the recycle bin.
BlueDragon,
The Entry Modified date is an NTFS feature and is to do with when the record was last updated rather than the file it points to but as GMarshall points out only INFO2 records keep a deleted date.
Steve
Thanks guys,
I had try to take a look at the info2 files but did not manage to get any deletion dates for the deleted files i'm interested in.
I even try recycle bin info record finder but with no success.
Although it's not 100%, one can consider file times representative of the last known time that the file was in an allocated state. There is no process I'm aware of that would update these times (or access the MFT record at all) after the file is deleted (except for some type of undelete program, and obviously the files would no longer be deleted).
Further, I have found that in every circumstance I tested, the modified time will indeed represent the time of the deletion.
You can probably get a answer from someone at Guidance on the encase message boards.