Is it a given that in all cases, the last accessed date/time of a deleted file is the same as the deletion date/time?
No, for example I have used Nlite to build a custom windows xp. There I have disabled the last accessd date/time function. So this attribute is normally not changed by my system.
No, for example I have used Nlite to build a custom windows xp. There I have disabled the last accessd date/time function. So this attribute is normally not changed by my system.
Interesting. But if you are doing massive deletions, would that or would that not change the MAC times.
You might want to look here for further information
http//
I think you can delete as much files as you want, the last accessd will not be changed.
The last access time for the file will not be modified. However, the last acces time for the directory will be modified as the directory entry will be modified and the file attribute record will be reallocated.
What I have found useful about the last accessed or modified time is that they can be said to represent the last known time the file was allocated in the file system. Not necessarily the same as deleted, but still useful in some circumstances. For instance, trying to prove that files were deleted after subject receives a preservation order.
What I have found useful about the last accessed or modified time is that they can be said to represent the last known time the file was allocated in the file system. Not necessarily the same as deleted, but still useful in some circumstances. For instance, trying to prove that files were deleted after subject receives a preservation order.
Thats pretty interesting stuff. Thanks for all the reponses.
So how do you determine when a file was actually deleted? If its the directory entry, where specifically do you look to find that particular tidbit of information for a specific file?
That information is not available on a per file basis. If the last action within a directory was the deletion of a file. This action would be recorded in the directory timestamp Dir /TW directory. This can be determined by examining the last modification timestamp for all the files in the directory. If all the files have lesser date/timestamps than the directory. The only thing that can cause that condition, files were deleted. Directory attributes changes do not affect the directory timestamps. If any other activity in that directory cause files to be modified the directory timestamp will be modified to reflect the last write event and you will have a matching timestamp.
NTFS is like FAT filesystems in regards that both use the MFT mechanism to track file metadata. So you could use a hex editor on the disk to locate the MFT record for the directory (via some math calculations or search for the Directory name) then located the date/time timestamps offset and decode the value. I perfer to use the DOS DIR command.
DIR /TC for creation time
DIR /TA for last acces time
DIR /TW for last written time
