More Windows date and time fun!

File system NTFS
OS= WIndows 7 Home.

Thanks for providing that.

My question is this.
Could other software such as Anti- Spyware or Anti-Malware software manually update the Last Accessed dates and times?

Of course. There are a number of things that can affect the time stamps, beyond a user or application accessing the files.

See https://support.microsoft.com/en-us/kb/299648

Have you parsed the MFT records for the files in question? You may want to do so.

Another thought is to create a timeline of system activity, including the file system metadata, Registry metadata, Prefetch files, Windows Event Logs, etc. This can add some context to what you're seeing, rather than just looking at a couple of time stamps on one or two files.

HTH

Yes, I know I have a bit of work to do yet.
I will be extracting all the files you mentioned plus the Lnk files and anti-virus logs.
I was hoping that maybe a reader had already performed a test on this since Vista and 7 have been released and could provide some answers prior to my meeting.

FYI that article "See support.microsoft.com/.../kb/299648" was a 2007 article and applies to NTFS but NOT to WIndows Vista and Windows 7. Since then Microsoft was disabled the updating of the Last Access times.

Larry

Yes, I know I have a bit of work to do yet.

I wasn't suggesting that at all…I was simply providing input to assist with your endeavor.

I will be extracting all the files you mentioned plus the Lnk files and anti-virus logs.

"All the files"? I had only mentioned the MFT. I'm not at all clear how LNK files and AV logs apply here, given what you've already stated about the file system settings.

I was hoping that maybe a reader had already performed a test on this since Vista and 7 have been released and could provide some answers prior to my meeting.

Even if they had, I'd think that you'd still want to test it for yourself. After all, aren't you the one going to the meeting the attorneys?

FYI that article "See support.microsoft.com/.../kb/299648" was a 2007 article and applies to NTFS but NOT to WIndows Vista and Windows 7. Since then Microsoft was disabled the updating of the Last Access times.

I'm not at all clear as to how your statement applies to, or obviates, the contents of the KB article I linked to. Can you elaborate?

as a habit I always try to grab the lnk files.
My thinking on the logs is If the anti-virus logs show a scan or any "hits" at that date and time then that is a bit more for me to work with.

The article you posted isn't relevant here because although it covers NTFS it doesn't apply to Windows 7 and Vista.

THe article also only covers Created and Modified dates and times on folders and files but does not mention Last Accessed dates.

As I am sure you are aware, Win7 and VIsta have an additional registry setting that prevents writing and updating the Last Access times.

Larry

I checked the registry and confirmed that the NtfsDisableLastAccessUpdate"=dword00000001 meaning the Last Accessed times are not updated. 1=yes, 0=No.

Well … are you sure?

The reason I ask is that the basic description of this registry setting seems to go back to

http//blogs.technet.com/b/filecab/archive/2006/11/07/disabling-last-access-time-in-windows-vista-to-improve-ntfs-performance.aspx
but as they use fsutil, the information provided by that utility need also be taken into consideration, namely

disablelastaccess {1|0} Determines whether NTFS updates the last access timestamp on each directory when it lists the directories on an NTFS volume.

(see https://technet.microsoft.com/en-us/library/cc785435.aspx for that.)

Note the difference one claims all updates, the other only updates for 'directory listing', which technically corresponds to directory lookups (i.e. when I want to find the file C/TEMP/foo.txt' I first have to access the root directory to find the entry 'TEMP' in it, and then use *that* to find the entry 'foo.txt' in the TEMP directory. Both those directory accesses would 'normally' case Last Access time stamp to be updated for those directory entries.)

Note 'update'. There's (strictly speaking) no claim that Last Access time stamp is not set.

Myself, I don't trust either of these two descriptions until someone does a systematic and thorough test of it, one that withstands critical scrutiny. Consequently, I don't trust Last Access at all, and don't base any conclusions on it alone, if I can avoid it.

And as the registry setting can be changed, you also need to consider if it has been changed, and when that happened, and also how that affect your interpretation of last access time stamps.

Could other software such as Anti- Spyware or Anti-Malware software manually update the Last Accessed dates and times?

Easily. There is a particular system call (In modern Windows, SetFileInformationByHandle(), using the call version that uses FILE_BASIC_INFORMATION) that sets *all* of the standard information timestamps to any legal value with only one exception, that of the 0 time stamp. Any Windows programmer can use it – or write an applications that does so for those who aren't programmers. TimeStomp and SetMACE are two fairly well known examples.

I've used it myself for testing purposes without any major problems.

The PKZIp archiver for Windows (the original from PKWare) has a Windows mode (see under Options / Extraction / Advanced) that allows you to save and restore 'all' NTFS timestamps – which includes the Last Access time stamp, but excludes the Entry Modified for some reason. See PKWare's 'ZIP App Note', section 4.5.5 for technical details.) Other file archivers may have similar options.

Wellll, I was pretty sure until you and KeyDet89 replied..

Now I have some researchin' to do..

But, that why this forum is here.. thanks..

Larry

To be more strict, the "NtfsDisableLastAccessUpdate" in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" has been around since at least NT 4.00, the only change is that by default it's value was 0 (ON) until Windows 7 where it changed to 1 (OFF).

As a matter of fact the setting was normally used in good ol' Windows PE 1.x/BartPE
http//www.911cd.net/forums//index.php?showtopic=6546
And as a "necessary" fix to mitigate the effects on runnning a PE (or XP) from a USB stick on device wear.

But the setting is NOT related to the actual "filesystem" but only to the way the built-in filesystem driver (and related write/copy/move operations) should behave, obviously only when the "main" OS (and the Registry) are in use.

As an example if a PE (or a Linux or some other OS of some kind with NTFS write capabilities) was booted on that machine, but - as a side note - also nothing prevents that particular key to be "born" as 1, having being changed to 0 at a given time and having been later re-set to 1.

jaclaz

To be more strict, the "NtfsDisableLastAccessUpdate" in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" has been around since at least NT 4.00, the only change is that by default it's value was 0 (ON) until Windows 7 where it changed to 1 (OFF).

The first link I provided was for Windows Vista, so it goes back at least that far.

But are you sure about the rest? I don't question that the registry setting has been there, but I do question that the semantics you ascribe to it have been static over the time. I would not accept that without source references or test results, except perhaps from someone with Windows source access at Microsoft.

Because if it retains exactly the same semantics (related to Last Access on directories, only), all claims that it affects Last Access on *files* must be faulty or at least deeply suspect, and consequently any evidence based on that assumption will be (or should be) questioned. And all experiments and demonstrations and statements of the effect must be equally bad or suspect.

The first link I provided was for Windows Vista, so it goes back at least that far.

But are you sure about the rest? I don't question that the registry setting has been there, but I do question that the semantics you ascribe to it have been static over the time. I would not accept that without source references or test results, except perhaps from someone with Windows source access at Microsoft.

What "rest"?
What do you mean "semantics"?
That setting has been there as far as I can recall, you want older references to it?
Be my guest
http//www.pctools.com/guides/registry/detail/50/
Here is a Windows 2000 reference from the mouth of the wolf
https://technet.microsoft.com/en-us/library/cc959914.aspx
And here is a NT 3.51 and NT 4.00 one
https://support.microsoft.com/en-us/kb/150355

The reason why it was implemented has to do to a different issue, the "clogging" of the circular log file, but the final effect is that the access timestamp is not updated.

Because if it retains exactly the same semantics (related to Last Access on directories, only), all claims that it affects Last Access on *files* must be faulty or at least deeply suspect, and consequently any evidence based on that assumption will be (or should be) questioned. And all experiments and demonstrations and statements of the effect must be equally bad or suspect.

I am sorry but I don't understand, a (properly implemented) experiment either confirms a given behaviour or it does it not.
If the experiment is badly implemented then obviously the results are invalid.

If I get this right you are all in all saying that the same setting may cause different behaviour on different Operating Systems?
That is very possible. )

There was a related article (and thread) here
http//www.forensicfocus.com/Forums/viewtopic/t=9329/
including the issue about "delayed update" of timestamps, where you already added some nice notes about "resident files"
http//www.forensicfocus.com/Forums/viewtopic/p=6560700/#6560700

And, just in order to throw some additional lack of certainties, I found a "queer" behaviour of XP, detailed here (but far from being cleared/explained)
http//www.forensicfocus.com/Forums/viewtopic/p=6572942/#6572942
the actual detailed thread is on reboot.pro, here
http//reboot.pro/topic/19746-queer-ntfs-andor-xp-behaviour/
😯

jaclaz