Notifications
Clear all

Last Accessed

5 Posts
3 Users
0 Likes
916 Views
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Has anyone encountered a situation where lots (thousands) of files have an updated Last Accessed metadata field, but every other metadata field is not updated?

 
Posted : 25/09/2019 7:58 pm
(@thefuf)
Posts: 262
Reputable Member
 

Has anyone encountered a situation where lots (thousands) of files have an updated Last Accessed metadata field, but every other metadata field is not updated?

Yes, this isn't something unusual.

 
Posted : 25/09/2019 9:42 pm
Samuel1
(@samuel1)
Posts: 63
Trusted Member
Topic starter
 

Terrific – what software did you find that caused this behavior in your experience?

Thank you!

 
Posted : 25/09/2019 9:44 pm
(@thefuf)
Posts: 262
Reputable Member
 

Terrific – what software did you find that caused this behavior in your experience?

Thank you!

Is your question about Windows and NTFS? If yes, then any tool that opens a file in a way which doesn't preserve its last access timestamp can do this (unless the last access updates are disabled, which isn't always the case in recent versions of Windows 10).

 
Posted : 25/09/2019 9:49 pm
(@athulin)
Posts: 1156
Noble Member
 

Has anyone encountered a situation where lots (thousands) of files have an updated Last Accessed metadata field, but every other metadata field is not updated?

If we knew exactly what operations cause Last Access to be updated, this would be easier to understand. At present, I believe, we know some of them, but not all.

I think any operations that opens a file (from the NTFS viewpoint, not the human viewpoint; if you know Windows programming, that would correspond to a successful call to the CreateFile() function) triggers a change – but I have not tested it fully (I really will have to do that some day). As a NTFS file includes metadata and possibly also ADSs, any attempt to access either or both of those would cause a Last Access update.

For example, in Win XP (and probably later, though I can't recall verifying it), just moving the cursor over a file icon in the Windows Shell GUI caused an updated of Last Access. The reason was that lingering on the icon caused a popup with some relevant metadata. In order to get at that data, Windows Shell had to open the file.

However, as it is (or was) fairly easy to prevent Last Access to be updated. We don't know exactly what tools actually do this systematically, (what NTFS does by default, and what a tool makes NTFS to, may be different. Tests must take such differences into account.)

Antivirus software in general opens files in a way that prevents file stamps to be updated, but there could easily be exceptions. But long time back, there was at least one AV product that didn't, and caused this kind of behaviour. (Backup tools probably do so, too.)

A file archiver might be a tool that reads a lot of files more or less at once, causing Last Access to update. But only tests will tell you if a particular archiver actually does so. Tools like WinDirStat might also do so.

As Last Access is changed by just about anything you do, it has, generally, comparatively small value for computer forensics.

 
Posted : 26/09/2019 5:08 am
Share: