HFS+ Last Access Times

General (Technical, Procedural, Software, Hardware etc.)

Last Post by brede 17 years ago

2 Posts

2 Users

0 Reactions

368 Views

RSS

pronie2121

(@pronie2121)

Estimable Member

Joined: 17 years ago

Posts: 117

Topic starter 22/08/2008 2:41 am

Hi All,
In looking through an Apple computer and all I see are Created and Last modified times, I find this odd that when putting the drive in FTK or Encase it is able to show last access times. When using MacForensicsLab or just parsing through as a mounted drive the last access times are no where to be found. Has anyone have any information regarding where these last access times are coming from and why Encase and FTK can pull them but not MacForensicsLab. Is there a way to access them on the Apple system? Encase and FTK have both said they do not know where the last access times are pulled from.

Quote

brede

(@brede)

Trusted Member

Joined: 20 years ago

Posts: 64

22/08/2008 12:57 pm

check the offset 53 of Catalog key for a certain file.

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
191 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed