OS Win XP, Outlook email client.
I am examining a subject's PC to determine what he may have done with a particular email sent from his office account to his home account. The message has an attachment and that attachment, as well as a couple of LNK files referencing it, was briefly in his User Local Settings Temp directory.
Here's the issue The attachment was accessed on three different dates. Each shows exactly FOUR HOURS between "Creation time" and "Last Access time". Any idea what this four-hour span is all about?
As an aside, one of the accesses was at 2am, local time (corrected from UTC). The user claims he did not access the file in question on that date *or* at that odd hour.
I know about the NTFS 1-hour update period, but this four-hour thing is bugging me and the attorneys.
Thanks in advance, folks….
Everything I can think of seems obvious so I'll stand back and watch with interest (there are many qualified people that will answer you so I wont bother you with my student-level guessing). This is really an interesting situation though and I spent a good hour looking into it (unsuccessfully) when I should of been studying for my Final tomorrow. )
I spent a good hour looking into it (unsuccessfully) when I should of been studying for my Final tomorrow. )
Thanks! I spent 2 and 1/2 hours going 'round the world (literally) with Microsoft support (also without success) on this after I posted here. I had the hardest time making them understand what the issue is, only to be transferred to the wrong support group again… and again… and again, with lengthy hold-times in between, of course.
Now go study and do well on the Final! wink
Just a couple of thoughts (probably not much use though!)
It's quite possible that anti-virus software has updated the access times. Have you checked for logs from the AV software? Also check what time the AV was scheduled to run etc ….
Have you checked what scheduled tasks there were on the machine?
Is there any process tracking in the event log?
Was Outlook left open during this 4 hour period?
What other applications were running during this 4 hour period. Do any of them perform any functions every x seconds etc …?
HTH
)
Assuming your evidence is set to the eastern time zone the difference is the same as Eastern Daylight to GMT. When there is an "exact" difference like this it's the first thing I consider. I'm not sure what times you are looking at, but some times are recorded in local time, and some in GMT.
Assuming your evidence is set to the eastern time zone the difference is the same as Eastern Daylight to GMT. When there is an "exact" difference like this it's the first thing I consider. I'm not sure what times you are looking at, but some times are recorded in local time, and some in GMT.
I had already corrected the UTC to local time (Eastern). That's not the issue (but it's always a good idea to be alert for Micro$oft's inconsistent use of UTC).
No, regardless of time-zone, these files have a precise four-hour difference between Creation and Last Access/Last Write.
I'm looking into whether or not an anti-malware program is performing regular scans..