I am reviewing a case for an external drive in EnCase and I'm trying to determine some last access dates for a case. I have a few documents in a folder that has the last accessed dates no later than 1/15/11 with some having Entry Modified dates no later than 7/5/11.
What are some possible explanations where the Entry Modified date would be later than last Accessed?
It depends on the OS…as of Vista, Windows no longer updates the last accessed date, by default…
..also depends on other factors…such as, we the file copied/moved to the drive, rather than created there, etc…
Are you looking at the Entry Modified column in EnCase?
Isn't this the column that holds the date/time relating to the MFT record for the file, rather than the file itself?
The Entry Modified can be updated without the contents of the file being updated e.g the physical location of the file gets altered due to a defrag, the file is moved to another location on the same volume etc.
And as Harlan points out, Vista onwards doesn't always update the 'Last Accessed' date/time…
Regards
Paul
Another example disk defragmentation
Sorry guys - been hasty reading paulandewsfca reply. Just noted that this has been covered already.
I believe the Registry Key is the same for XP, Vista and 7… but I'm going on memory (Which is still suffering from Turkey overload) and the regedit on my Win7 machine.
You can navigate the registry to
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem"
NtfsDisableLastAccessUpdate (1) Yes —– (0) No
Cheers
For the record - the "Entry Modified" date changes even when you rename the file.
Edit Shaman, the "Entry Modified" column in EnCase refers to the modified timestamp attribute in the $MFT record - the "Last Accessed" timestamp is a different beast. Hence renaming a file will change the "Entry Modified" timestamp, but not "Last Accessed" (or, in fact, "Last Written").
does encase refer BIOS time/date and OS time/date……? wat happen if user changed the date/time…?