Hello,
haven't been able to find an answer to this question and figured I would turn it over to more experienced users.
Have an NTFS formatted drive that has a folder which contains a bunch of subfolders (and files in those subfolders). The last accessed time stamp for all of the folders and subfolders show that they were all accessed in succession (many times a second or so after the folder above it was accessed) but the files in those folders and subfolder don't show the same last accessed time stamp. All the files in those folders/subfolders show an older time stamp. Based on the last accessed timestamp, it appears all the folders and subfolders were touched in some way but not the files.
Does anyone know how this would be possible or what kind of utility would touch a folder and subfolders (updating their last accessed time stamps) but not the files in those folders and subfolders?
I tried running the dir command to show only folders (dir /ad /b) but everytime I clicked on a file in those folders (to see if the last accessed time stamps changed), the act of right clicking the files to view their properties changed the last accessed time stamp. Basically I am spoiling my own results. When performing these timestamp change tests, is there a proper way to view last accessed timestamps without clicking on the file to view its properties or do I need to image the drive every time I run a test and then check the properties of the files from the image?
thanks.
Which operating system and version are you dealing with?
I don't typically give much credence to last accessed. There are so many innocous methods that may update them that any conclusion you draw may be inherently doubtful. Sure, you may find a method that updates the folder Last Access and not the files, but can you really say nothing else would produce the same results?
What are you trying to prove or disprove?
What I would do is this. Set up a VM with the same OS and SP as the original evidence. Load the .vmdk into FTK Imager, or another program and get a baseline of the last access times of your target. Run a test, for instance the command you mentioned. Do nothing else. Pause the VM and load the .vmdk again and see what has changed. Restart, do another test, pause and load the .vmdk into a program, etc.
keydet89 - this is on a windows xp sp3 computer.
twjolson - thats a great recommendation. I didn't know you could import vmdks into ftk imager! that will definitely be useful for testing.
Not really trying to prove and disprove anything, rather just trying to figure out how this strange timestamp anomaly could be created. You would think if a utility was touching all the folders, subfolders and files in those subfolders, it would change the last access timestamp of everything not just the folders and subfolders.
A person on another forum just wrote me and thought that this was indicative of an archive program being used to zip up all of the files and folders, which would change the last accessed time stamp of the folders and subfolders in successive order but not change the file time stamp. I haven't had a chance to test this out yet to confirm.
The likely answer is this this top level folder was right-clicked, Copy and then Pasted to a destination using Windows Explorer.
This is classic behavior of mass copy of a top level folder and all its children in which Last Accessed timestamps of the folders are changed as the copy progresses, but the files themselves are not.
Check USB artifacts and you may find a device insertion time just prior.
The following is a paper presented at DFRWS 2011 http//
I've done some testing on the claim myself and while hit and miss, the theory is plausible and it sounds like you may have found a real world example.
Note by 'hit or miss' the theory is that a sufficiently large top level structure has to be copied in order to 'stand out' against the file system timeline. This is not always the case and is yet another example of how "proving someone stole data via USB" is provable only under very specific circumstances and not attainable using repeatable processes.
This is classic behavior of mass copy of a top level folder and all its children in which Last Accessed timestamps of the folders are changed as the copy progresses, but the files themselves are not.
Or, also, of a "normal" Search or DIR /S ….
We are talking about this paper here
http//www.forensicfocus.com/Forums/viewtopic/t=9329/
Where also the Author is taking part.
jaclaz
Thanks Jaclaz - how the heck did I miss that thread? *sigh*
Thanks Jaclaz - how the heck did I miss that thread? *sigh*
Someone connected a USB stick to your brain 😯 and stole some data from it? ? (BTW leaving no traces)
wink
D
jaclaz
thanks guys. I really appreciate the help!
A bit late, and maybe I'm biased, but I personally think my own MFTRCRD is very handy for this kind of stuff. Testing and quickly dumping the result to console.