Hi,
I perform analysis on a vista system & I found interesting google search URL in TMP files (c/windows/temp) … I know that these google search has been done in 2011 … But the TMP file is dated 2008 (created last written & last access have the same timestamp).
Why this file is dated from 2008 ??
I perform analysis on a vista system […]
But the TMP file is dated 2008 (created last written & last access have the same timestamp).Why this file is dated from 2008 ??
Presumably because that's when it was created. If you're asking why LastAccess hasn't change since, it's probably because LastAccess is disabled in Vista it doesn't get updated as it does in XP.
However, there are alternative explanations. If Last Access time stamp was re-enabled, the reason could be that noone has accessed the TMP file. Another alternative is that any software that did access the TMP file was careful enough to restore all timestamps to what they were before. And yet another possibility is that the file has been replaced, but the timestamps were 'inherited' from the previous file by this ' NTFS tunnelling' backwards compatibility feature, which moves time stamps from an older file to the newer one that replaces it .
And yet another possibility is that the file has been replaced, but the timestamps were 'inherited' from the previous file by this ' NTFS tunnelling' backwards compatibility feature, which moves time stamps from an older file to the newer one that replaces it .
Hmm. ?
File System Tunneling should NOT be NTFS "specific".
http//
And usually it is set to 15 seconds (slighlty less than 3 years wink )
http//
AFAIK it dates back to LFN's introduction
http//
Or has this changed in Vista specifically? ?
jaclaz
Alf95
Need more clues to help on this.
What is the file name?
What is the content of the file is it literally just a url or is there more?
Is there some clue as to what created the file?
Is the file live or deleted?
Is the url in the file or in the slack?
You say the google search has been done in 2011, but could it also have been done in 2008?
H
Thanks for your answers. This time I used Encase V6 and I saw that the data which interested me were displayed in blue text, in fact this is the non intitialized part of the file.
Harry,
The suspect drive is a NTFS system
The File Name TMP0000003B66D0BF3836FCB31A
Size 524288
Initiliazed size 12288
Not possible in 2008, cause I found few URLs of ads that were post in 2011.
Just a question Informations found in this part may come from internet activities ? Without changing the Last Written timestamp ?
Regards,
If you read this very good blog entry you will see the explanation of initialised space -
http//
I initially thought this explained what you were seeing but the dates in Casey's example are the opposite way round. Needs more thinking about!
Edit More thinking (testing actually) done. It appears that you can change the valid data length of a file without changing the MAC times. If this was done then the TMP file of an older date could then include unitialised space which contains data from a more recent file that has been deleted and is unallocated.
A few tests with OpenedFilesView and Process Explorer show that the TMP file you refer to is created by Windows Defender.
H
Thanks Harry, I understand better ! I'll continue my research about this case.