Hi ALL,
I have the following challenge
On Win 10 x64 I have one video file
From $MFT
Created Time 30/11/2015 013551
Last Accessed 30/11/2015 013551
Link File confirms the last accessed time and file created (SO 28-52)
Last Accessed 30/11/2015 013551
However creation time of the link from $MFT is later on and it is 30/11/2015 025029
Also Creation Date/Time of the other link files is also after the files were created, which would be fine if the file was saved on this computer e.g.at 30/11/2015 013551 and Last Access would occur later on (e.g.Creation date/time of the link file or later) but then then the Last Accessed Date/Time inside the link file should be the same as link file creation time or later on BUT IT IS NOT.
So my question is IS LAST ACCESS DATE/TIME form within the link file relating to Target File on Win 10 OS is still updated (SO 36-44) ?
Have anyone tested this? I am not sure how to explain why the the Last Accessed within the Link File is earlier than the creation of the link file itself - surely this should be updated.
Perhaps there is detailed research of behaviour of link files in Win 10 including structure of it in HEX I know they have slightly changed since Win 8 - URL would be very helpful.
Many Thanks.
use my lnk parser and you will see all the structure there is.
with how you described things its hard to tell what is going on.
on win10, last access never changes unless enabled in the Registry, so it will typically match created date.
the lnk (notice there is no i in there) file's created time has no bearing on the target file's timestamps. lnk files, for the most part, get created when a file is opened, not when it is created. Windows 10 does some interesting things on creating lnk files before a file is opened, but afaik, not for EVERY file.
there are two sets of dates typically used when looking at lnk files
1. the dates for the lnk file itself
2. the internal dates from the target file.
These two sets of dates can tell us things, but they do not necessarily relate to each other.
i dont know what parser you are using but as i mentioned earlier, use mine and see if it clears things up.
you can use the target tracker block to get an idea of when a lnk file was created as well. this, in addition to the machine name, would tell you if the lnk file was copied from one machine to another, etc. based on the name and mac address in the tracker block.
additionally you will have a bunch of MFT information (entry and seq #s) from the targetID blocks.
start here
https://
and read about all the updates
you can get the latest version from the Software link at the top
additionally, the lnk parsing code is open source and is on Github. you can reference that to get an understanding of what is going on under the covers.
i am not aware of any changes in windows 10 in structure.
So my question is IS LAST ACCESS DATE/TIME form within the link file relating to Target File on Win 10 OS is still updated (SO 36-44) ?
Have anyone tested this? I am not sure how to explain why the the Last Accessed within the Link File is earlier than the creation of the link file itself - surely this should be updated.
I'm not entirely sure what needs to be tested.
https://
Checking the Registry of a live system shows me that the NtfsDisableLastAccessUpdate value is, indeed, set to 1, which indicates that it remains the default setting since Vista.
I hope that helps.