I have an external drive that XP reports as a GPT Protective Partition. The MAC OS reports a file as having a created time, modified time, but no LAST OPENED timestamp. EnCase reports a Last Accessed date/time. What is the correlation between the two if any? Should the last accessed time/date be treated the same as in Windows, ie can I assume a copy of date to another source?
The Mac OS tool you're using may not report it, but files on HFS+ volumes have created, content-modified, attributes-modified, access, and backup timestamps.
I am using EnCase in Windows since I cannot view the drive in Windows b/c it is a GPT Protective Partition.
An example to clarify I have a file with a reported created and modified time of 3/5/09 1226. It has no reported last opened time in Mac OS X doing More Info.
In EnCase it reports the created and modified times correctly but fills in the Last Accessed time with 8/4/09 1045. Where did that time come from?
Is it an accessed time that Mac OS X More Info doesn't report? Can I get more file information from OS X using a different method?
If I recall correctly, "More Info" in the Get Info window actually gets its data from Spotlight metadata, not directly from the filesystem, so there could be cases where its "Last opened" is not present or disagrees with the access time on HFS+.
The hfsdebug utility should allow you to read the HFS+ data not exposed by Get Info.
You can also see all the OS X timestamps by running the 'stat' command from an OS X terminal. This shows all the file times stored by HFS+. The Get Info only shows the traditional Finder values and not all the extended file information held in the file system.