Forums
Main Category
General (Technical,...
NTFS Timestamps
 
Notifications
Clear all

NTFS Timestamps

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Deltron 9 years ago
8 Posts
4 Users
0 Reactions
1,385 Views
RSS
 Deltron
(@deltron)
Estimable Member
Joined: 11 years ago
Posts: 125
Topic starter 02/03/2016 10:13 am  

I know windows 7 doesn't update last accessed times. My question is if a flash drive is formated as NTFS what would update the last accessed dates on the flash drive? Could HFS+ update the last accessed date on a NTFS flash drive?


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
02/03/2016 3:54 pm  

I know windows 7 doesn't update last accessed times.

This is not really "exact", a Windows NT system will update (or fail to update) last accessed times depending on the settings of the OS.
Up to Windows XP the default setting was "update", starting from Vista the default setting is "do not update".

My question is if a flash drive is formated as NTFS what would update the last accessed dates on the flash drive?

The setting can be accessed via fsutil
fsutil behavior set disablelastaccess 0/1or via Registry
System Key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
Value Name NtfsDisableLastAccessUpdate
Data Type REG_DWORD (DWORD Value)
Value Data (0 = disable, 1 = enable)Please note the double negative, disabling the disable (0) means do update last accessed times, enabling the disable (1) means do not update last accessed time.

Could HFS+ update the last accessed date on a NTFS flash drive?

What do you mean HFS+?
Isn't HFS+ a filesystem (used on Mac's)?
How can a different filesystem update anything on NTFS?

jaclaz


   
ReplyQuote
 Deltron
(@deltron)
Estimable Member
Joined: 11 years ago
Posts: 125
Topic starter 02/03/2016 8:50 pm  

to put my question in a more simple way, how would you explain a flash drive with ntfs having updated accessed dates if windows 7 doesn't update the accessed times?


   
ReplyQuote
PaulSanderson
 PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
02/03/2016 9:59 pm  

to put my question in a more simple way, how would you explain a flash drive with ntfs having updated accessed dates if windows 7 doesn't update the accessed times?

It's a flash drive - if the windows 7 system you are examining is set to not update last accessed dates then

a) either the win 7 system was set up to update last accessed dates in the past

or

b) the flash drive has been inserted in another computer (poss running XP, or W7 with last accessed dates enabled) that updated the time stamps

or

c) the drive was used on a mac os X system using something like paragon that enables support for NTFS (you would need tocheck to see whether paragon updates last accessed dates)


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
02/03/2016 10:19 pm  

to put my question in a more simple way, how would you explain a flash drive with ntfs having updated accessed dates if windows 7 doesn't update the accessed times?

You'd have to understand the context in which the flash drive was used.

I get that you're referring to the actual files on the flash drive, so let me ask you this…when you say that the last access times were updated, what do you mean? Have you looked at the $MFT and compared the $STANDARD_INFORMATION attribute time stamps to those in the $FILE_NAME attribute(s)? How do you know that the last accessed times were updated?

Here's a good explanation of the Registry value that was discussed earlier
https://technet.microsoft.com/en-us/library/cc959914.aspx

Given that, there are a number of ways file system time stamps may appear…well…not as expected. For example, there's this
https://support.microsoft.com/en-us/kb/299648

Also, files extracted from an archive may (depending upon the operation) maintain or change different time stamps.

So, I would suggest that the short answer to your question is, "You can't, without context". The long answer is to list all of the possibilities.


   
ReplyQuote
 Deltron
(@deltron)
Estimable Member
Joined: 11 years ago
Posts: 125
Topic starter 02/03/2016 10:37 pm  

to put my question in a more simple way, how would you explain a flash drive with ntfs having updated accessed dates if windows 7 doesn't update the accessed times?

You'd have to understand the context in which the flash drive was used.

I get that you're referring to the actual files on the flash drive, so let me ask you this…when you say that the last access times were updated, what do you mean? Have you looked at the $MFT and compared the $STANDARD_INFORMATION attribute time stamps to those in the $FILE_NAME attribute(s)? How do you know that the last accessed times were updated?

Here's a good explanation of the Registry value that was discussed earlier
https://technet.microsoft.com/en-us/library/cc959914.aspx

Given that, there are a number of ways file system time stamps may appear…well…not as expected. For example, there's this
https://support.microsoft.com/en-us/kb/299648

Also, files extracted from an archive may (depending upon the operation) maintain or change different time stamps.

So, I would suggest that the short answer to your question is, "You can't, without context". The long answer is to list all of the possibilities.

Looking at the cheat sheet
http//digital-forensics.sans.org/media/poster-windows-forensics-2016.pdf

It shows in $stdinfo Access -change as volume file move
while in the $filename no change can be raname, accessed, modify, deleted
So looking at the mft the standard info has a change accessed date can you conclude the file may have been accessed?

Also how does Mac OSX come into play with updating these entries?


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
02/03/2016 11:09 pm  

c) the drive was used on a mac os X system using something like paragon that enables support for NTFS (you would need tocheck to see whether paragon updates last accessed dates)

and not only …
d) or on a MacOSx where the default (which is to NOT write on NTFS volumes) has been changed
http//osxdaily.com/2013/10/02/enable-ntfs-write-support-mac-os-x/
or using another driver
http//www.macbreaker.com/2014/06/how-to-enable-writing-to-ntfs-hard.html
e) on any Linux with read/write support for NTFS
f) and let us not forget BSD and more generally any OS ever existed that may be able to change those dates …

@deltron
A USB stick is likely to have been connected to tens of devices, it is impossible to draw a definite conclusion based only on the observation that the "last time accessed" is modified.

jaclaz


   
ReplyQuote
 Deltron
(@deltron)
Estimable Member
Joined: 11 years ago
Posts: 125
Topic starter 02/03/2016 11:17 pm  

c) the drive was used on a mac os X system using something like paragon that enables support for NTFS (you would need tocheck to see whether paragon updates last accessed dates)

and not only …
d) or on a MacOSx where the default (which is to NOT write on NTFS volumes) has been changed
http//osxdaily.com/2013/10/02/enable-ntfs-write-support-mac-os-x/
or using another driver
http//www.macbreaker.com/2014/06/how-to-enable-writing-to-ntfs-hard.html
e) on any Linux with read/write support for NTFS
f) and let us not forget BSD and more generally any OS ever existed that may be able to change those dates …

@deltron
A USB stick is likely to have been connected to tens of devices, it is impossible to draw a definite conclusion based only on the observation that the "last time accessed" is modified.

jaclaz

@Jaclaz I know but I'm just trying to explore all options.
I have a Apple macbook with OSX and a custom comp with linux and trying to see what will change the times in those OS. Kinda like the sift cheat sheet for times with Windows.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: