Shellbags: Accessed timestamp in a folder

There's a lot more to it than that and there's quite a few good papers on it so I won't dive in too deep but you can get the last time a folder was accessed via Windows Explorer from the Registry. It's not at all related to the file system MAC times for the folder either. It's not as simple as just grabbing the last modified time from the value in the key for the specific folder, there's a validation check that needs to be done as well.

When valid though, it's 100% through Windows Explorer so it's not the system unless there's a particular process or app that opens specific folders in the Explorer GUI. Also, it won't capture anything browsed/accessed via CLI.

Here's a presentation Eric Zimmermann gave a while back which should help but there's lots of additional resources out there
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492184337.pdf

Jamie

There's a lot more to it than that and there's quite a few good papers on it so I won't dive in too deep but you can get the last time a folder was accessed via Windows Explorer from the Registry. It's not at all related to the file system MAC times for the folder either. It's not as simple as just grabbing the last modified time from the value in the key for the specific folder, there's a validation check that needs to be done as well.

When valid though, it's 100% through Windows Explorer so it's not the system unless there's a particular process or app that opens specific folders in the Explorer GUI. Also, it won't capture anything browsed/accessed via CLI.

Here's a presentation Eric Zimmermann gave a while back which should help but there's lots of additional resources out there
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492184337.pdf

Jamie

Thank you friend!! What do you mean exactly?