I have a computer that has a system registry key with a last access time of (say Dec 12th, 1301), which matches the entry in the System key itself that says Dec 12th 1301 as well for the lastwrite time. Okay, so that makes sense. No when I order the files on the system there are many files that occur after the 12/12 date, example 12/13, and 12/14. Is the reason that there are files with dates post the System registry key's last accessed and written date, along with the lastshutdown write time due to when the system was imaged the plug was pulled, not allowing the system to properly shutdown? If that is the case, then I would have to assume that when the system was started up after the intial shutdown on 12/12 that the System Key was not written to for a period of four days.
Or could this a case of anti forensics (timestamp tampering going on)?
Thanks
Your post is a tad hard to follow, and more information is required in order to form an opinion.
How and when did you acquire the image that appears to have this date and time anomaly?
Have you taken into consideration timezones and BIOS clock adjustments?
Have you adjusted your case tool to reflect timezone settings?
I am sure you have considered the last points!
To increase performance, the last accessed update to files is off by default in Windows Vista, could this explain your anomaly?
What do you mean by the 'initial shutdown'? was that a reference to when the plug was pulled?
Did you acquire another image after the plug was pulled for comparison?
I have a computer that has a system registry key with a last access time of (say Dec 12th, 1301),
Registry keys don't have last access times…keys have a LastWrite time.
…which matches the entry in the System key itself that says Dec 12th 1301 as well for the lastwrite time.
This is very confusing…sorry.
Okay, so that makes sense. No when I order the files on the system there are many files that occur after the 12/12 date, example 12/13, and 12/14. Is the reason that there are files with dates post the System registry key's last accessed and written date, along with the lastshutdown write time due to when the system was imaged the plug was pulled, not allowing the system to properly shutdown?
There really isn't enough information available. What version of Windows are you referring to? What files are you referring to? Is the system live or is this an image you're referring to? If it's an image, what was the condition of the system at the time it was acquired and what was the acquisition process?
If that is the case, then I would have to assume that when the system was started up after the intial shutdown on 12/12 that the System Key was not written to for a period of four days.
What is an "intial[sic] shutdown"? Assuming you're referring to the LastShutdown time, all of what you're referring to can be supported or refuted easily. However, in order to do so, some information is necessary. For example, aside from the previous questions and questions in the previous post, what is this "System" key that you're referring to? Also, LastWrite times are just that…the last time that the key was written to, or when a subkey or value directly beneath the key was written to, added, or deleted.
Or could this a case of anti forensics (timestamp tampering going on)?
I haven't seen anything yet that supports such an assumption, sorry.
h