Hello,
Can anyone tell me how one deals with interpretting access times on compromised systems when the user runs (or admins run) malware scanners on the system daily. If the scanner touches every file I am assuming that it will change the access time of every file on the system. Doesn't that create a challenge when trying to use MAC times, specifically the "A" times.
Thanks,
Mark
Yes, of course it modifies the 'A' times. You may try to distinguish between files touched by the scanner and those touched by the user by inspecting the log file that the scanner might have generated, and the rules defining which files/folders are scanned.
Mark,
This happens all the time. In fact, by default, Vista does not update last access times on files. This is why alternative methods of forensic analysis are required.
H
Create and Modify dates are usually what I look at. Access is usually not something you can put too much trust into.