Massive copy and timestamps

I think you got him )

As to the files that didn't get a Last Update change - perhaps he didn't copy them.

The first thing to state about the Last Accessed timestamp is that different programs can touch it in different ways.

In your position I would undertake and record some testing with XP and an external USB device connected.

How does the timestamp get updated by any of the following;
Accessing the (say) Sample Pictures directory - in thumbnail view, in list view
Copying the directory - ctrl-C/V, drag/drop, save as
Copying the individual pictures - ctrl-C/V, drag/drop, save as
Copying whilst in thumbnail and list view
Under what conditions is the timestamp of thumbsdb updated?
Under what conditions are LNK files created?
How does any of this affect the MRU lists?
Etc.

Only with testing do you have a reliable context for your hypothesis, including pbobby's suggestion that perhaps only a subset of files were copied. Clearly your testing will inform you in relation to this suggestion as you access the directory structure.

Good luck.

Depending on whether the whole folder was copied or just the files, if he didn't select some, as Paul says, perhaps he just copied what he wanted.
Ignoring that, there are scenarios where NTFS may not have yet written the timestamps, so in a plug-pull and acquire, you may see what you do.
The clearest description I can find of this is in here
http//technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
Scroll down to the heading last access time and read from there. But a short snippet is

The Last Access Time on disk is not always current because NTFS looks for a one-hour interval before forcing the Last Access Time updates to disk. NTFS also delays writing the Last Access Time to disk when users or programs perform read-only operations on a file or folder, such as listing the folder’s contents or reading (but not changing) a file in the folder. If the Last Access Time is kept current on disk for read operations, all read operations become write operations, which impacts NTFS performance.

Hope that helps.
Rich

PS - That URL seems to actually be one of the better/best NTFS references i've found, probably worth everyone taking a look at in general, written in very clear language compared to most documents I think. (i've just edited the URL above to the en-US version rather than en-es so the links are all in english now - as there's also some more interesting stuff in the same tree on this part of the technet site)

The clearest description I can find of this is in here
http//technet.microsoft.com/es-es/library/cc781134(WS.10).aspx

A good find.

Hi,

From a non-technical standpoint…….

If we take the theory that some files and folders were not copied, is there a link between all the files that were copied in terms of data content? Is it possible he copied all the 'juicy' files or all the files that relate to something specific?, i.e. something he was interested in. If you look at the human factor is it possible to see a logical reason why only those certain files were chosen?

Would he have been able to make a distinction between files he wanted and didn't want very easily? Were any files opened between 1500-1520, suggesting he was checking what to take? Local file history, link files etc could tell you that. Or are there only artefacts for after that time on that date, suggesting the possibility these were cleared around the time of interest.

You mention a folder named "Projects" on the C\ drive but a folder named "projects" as an artefact for a USB disk. The first letter being capitalised on the source device. Was this an oversight in your post or do the two differ in this way. If the folders have different upper/lower case letters but the same word it would appear the folder name wasn't created because the whole parent folder was copied in. Instead it seem likely a new folder was creaetd into which any number of files and folders on the source could have been placed.

You don't mention whether other files were last accessed around this time too. Were there any other typical user files and folders accessed from other locations on the C\ drive?

Steve

Hi,

From a non-technical standpoint…….

If we take the theory that some files and folders were not copied, is there a link between all the files that were copied in terms of data content? Is it possible he copied all the 'juicy' files or all the files that relate to something specific?, i.e. something he was interested in. If you look at the human factor is it possible to see a logical reason why only those certain files were chosen?

That could be, but almost impossibile to chose "manually" almost 20.000 different files. And I've checked if he ran any search (using F3 or with search assistant) to pick up some file based on a criteria.

Would he have been able to make a distinction between files he wanted and didn't want very easily? Were any files opened between 1500-1520, suggesting he was checking what to take? Local file history, link files etc could tell you that. Or are there only artefacts for after that time on that date, suggesting the possibility these were cleared around the time of interest.

No, according to the last opened file and registry he didn't opened any file from that folder.

You mention a folder named "Projects" on the C\ drive but a folder named "projects" as an artefact for a USB disk. The first letter being capitalised on the source device. Was this an oversight in your post or do the two differ in this way. If the folders have different upper/lower case letters but the same word it would appear the folder name wasn't created because the whole parent folder was copied in. Instead it seem likely a new folder was creaetd into which any number of files and folders on the source could have been placed.

That was a mistake in my post. The folders had the same exact name

You don't mention whether other files were last accessed around this time too. Were there any other typical user files and folders accessed from other locations on the C\ drive?

Steve

I need to check this…but I remember he was using Iexplorer for surfing the web moment before..

Thanks for your reply steve….

The first thing to state about the Last Accessed timestamp is that different programs can touch it in different ways.

In your position I would undertake and record some testing with XP and an external USB device connected.

How does the timestamp get updated by any of the following;
Accessing the (say) Sample Pictures directory - in thumbnail view, in list view
Copying the directory - ctrl-C/V, drag/drop, save as
Copying the individual pictures - ctrl-C/V, drag/drop, save as
Copying whilst in thumbnail and list view
Under what conditions is the timestamp of thumbsdb updated?
Under what conditions are LNK files created?
How does any of this affect the MRU lists?
Etc.

Only with testing do you have a reliable context for your hypothesis, including pbobby's suggestion that perhaps only a subset of files were copied. Clearly your testing will inform you in relation to this suggestion as you access the directory structure.

Good luck.

I made some test weeks ago. I had a folder with access timestamps set on randomly date. If you copy the WHOLE folder to a new location on an external drive EVERY file gets a new access date/time. I sorted the copied folder with FTK and they are sorted in a row. No one got excluded. And that's the behaviour I'm expecting from such operation…. ?

I think you got him )

As to the files that didn't get a Last Update change - perhaps he didn't copy them.

The question is…
He got 20.000 files. Let's assume you want to exclude 15-20 files in some SUBFOLDERS (and that was a directory with almost 100 subfolders, 5 level depth and the missing files are spread in different subdirectories).

How can you exclude them and copy the remaining 19980 in 20 minutes?
I've also analyzed the frequency of the timestamps value. There are all sequential, in a row. If he had stopped (maybe because first he choosed subdirectory 1, than he choosed which files to copy), I would see "a hole" in the timestamps value.

Second thing what else can update so many files? Antivirus! The antivirus log report no scan made or requested that day…

Thanks for any suggestion or help

The files could exist on the target, permission problems, files currently open.

Remember, the user activity could be "copy all" but something about the OS or Copying configuration that prevented 20 files from successfully being copied.