I have come across a registry edit that will disable the last access time for NTFS. Other than looking in the registry for this when its suspect that the time on a file should be different is there anything that can be done see true access times if this is enabled? I haven't found anything but thought the great minds here might know something. As a forensic examiner am I screwed?
I searched the forums but couldn't find anything on this. Sorry if I missed a previous post.
http//
Sleuth
Sleuth,
I'm not sure what you're asking…if the updating of last access time is disabled, then it stands to reason that last access time won't be updated by the operating system. Therefore, when you refer to the "true" access times, what are you hoping for?
In some senses you may be "screwed" (please excuse my vulgar venacular), but in other cases you aren't. Much like the recent "Da Vinci Code", it's all a matter of where you choose to look. For example, you've already mentioned the Registry, and the Registry maintains a number of "most recently used lists", aka MRU Lists. From these, and other locations within the Registry (specifically, the UserAssist subkeys), you can develop a timeline of when a limited subset of files were last accessed by local users. Information can also be gleaned from the Prefetch directory on XP.
I hope that helps a bit…going further can lead to an encyclopedic post.
Harlan
…if the updating of last access time is disabled, then it stands to reason that last access time won't be updated by the operating system.
That does help. That was my though was as well. I just wanted to make sure I wasn't missing a tool or work around.
Sorry for the confusion.
Thanks key.
> I just wanted to make sure I wasn't missing a tool or work around.
No problem. I just don't see how, if the operating system isn't updating the last access times, how there'd be a "work around", specific to the last access times themselves. If it's not being done, then, well…it isn't being done.
However, you did open the door for something else that not many folks really look at…specifically, that key.
Hi,
Whether you have checked this or not I don't know but I would have assumed without testing that if the files were double clicked or manually saved they would still appear as file entries in the index.dat files. This would give an access date and time showing the path and filename.
In my own job I hardly ever rely on Last Accessed Times from the MFT or FAT root directory anyway because so many other pieces of software trip this date.
Steve