M.A.C times and Hashing

It depends on how you mount the partition - not the utility you are using.

In Linux use the ntfs-3g mount utility to mount the drive using to 'ro' and 'noatime' options. You should then be able to use md5deep without modifying the last accessed time. Of course the output needs to be written to a partition you have rw access to… As always, it is probably best to try this out and see that it works as expected on a test partition before using it on your evidential one.

In Windows the best option is to use a write blocker (actually it's probably the best option, whatever OS you use; less complicated.)

Paul

Sorry, I probably should have expained myself better. It actually needs to run over a live server volume without modifying it as the access time is important.

The application isn't specifically forensic, more monitoring, otherwise I would have done the obvious as you suggested.

My choice would be EnCase FIM or Enterprise then - expensive, but it works.

The problem with accessing via open source tools is that by and large they all use the standard libraries for opening files and these rely on the OS providing the file in the usual way (The filesystem service handles file access in a way that is transparent to the programmer and it is this service that updates the MAC times as per the mount instruction). It is possible to write code to access the file directly on disk and bypass the filesystem but that (I would imagine) is a bit difficult to do and how many people would use the resultant tool?

Of course there may be a tool out there that will provide the service you want but I'm not aware of it, sorry.

Paul

My choice would be EnCase FIM or Enterprise then - expensive, but it works.

Paul

I would go for F-Response Field Kit edition, inexpensive but it works 😉

I would go for F-Response Field Kit edition, inexpensive but it works 😉

I suppose I would in reality, but we have FIM in the office - don't have F-Response 😉

Paul