dear all,
I've got the e01 copy of a the disk with win 7. Is it possible to know when was the penultimate date in which a file has been opened? The file is zip and the application is 7zip
thanks
What is a "penultimate" date?
google translate wrote this.
NOt the last date in which the file has been open but the date before
google translate wrote this.
Not the last date in which the file has been open but the date before
No, usually only odd (dispari) previous archive files openings are logged
-1 (last time)
-3 (third last)
-5
etc.
Come on …
jaclaz
NOt the last date in which the file has been open but the date before
Possibly, yes.
Find the profile for the user that opened it, and extract the NTUSER.DAT and USRCLASS.DAT files.
Now do the same of the same files in all available VSCs.
Map out all MRU entries related to the file in question from the hives; RecentDocs, 7Zip MRU, ComDlg32, etc. I'd also include shellbags, although the entries will be related to Windows Explorer and not 7Zip.
Again, it's possible…not definitive. So…maybe.
Possibly, yes.
Find the profile for the user that opened it, and extract the NTUSER.DAT and USRCLASS.DAT files.
Now do the same of the same files in all available VSCs.
Map out all MRU entries related to the file in question from the hives; RecentDocs, 7Zip MRU, ComDlg32, etc. I'd also include shellbags, although the entries will be related to Windows Explorer and not 7Zip.
Again, it's possible…not definitive. So…maybe.
It seems to me like that might (maybe) provide "other" or "previous" times the file was opened, but no actual way to be sure that it was the penultimate time.
jaclaz
It seems to me like that might (maybe) provide "other" or "previous" times the file was opened, but no actual way to be sure that it was the penultimate time.
Again, it's possible…not definitive. So…maybe.
It seems to me like that might (maybe) provide "other" or "previous" times the file was opened, but no actual way to be sure that it was the penultimate time.
Again, it's possible…not definitive. So…maybe.
Sorry, but I am a hairy reasoner, if you can I would like a more definite answer.
IMHO by analyzing a system
1) you may (or you may not) find some evidence about a given file having been opened/accessed before a given date/time
2) IF you find such evidence this may consist of either
a. a single previous access
b. more than one previous access
in case 2.b you can order the (several) previous access date times and choose the most recent one (still before the given date/time), so you are in the same case of 2.a.
Now, what makes you able to state that that instance is actually the penultimate (and that is not the third or fourth or nth last one)?
As I see it there is a BIG IF in #2, after which there is an "impossible", it is even not a "maybe*maybe=maybe^2", it is a "maybe+impossible=impossible".
jaclaz
I will try thanks keydet