Background - We have acquired the Windows 7 Image using EnCase and Tableau Write block.
Did the recovery of files in EnCase using Recover by folder option.
Now we are analyzing the Deleted Files and the time-stamp for the same i.e. period of its deletion
Challenge - 'HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' is enabled.
In EnCase we see the last access date but not sure what it represents when the Registry "NtfsDisableLastAccessUpdate" is enabled.
Query As the registry for "NtfsDisableLastAccessUpdate" is enabled what date does last access date capture the - file creation, last written or Entry Modified.
Sample
Here is a sample of the date range as seen in EnCase
Last Accessed File Created Last Written Entry Modified
19-Nov-2011 092516AM 19-Nov-2011 092516AM 19-Nov-2011 092516AM 15-Jan-2012 013136PM
30-Nov-2011 113303AM 16-Nov-2011 045701PM 30-Nov-2011 113303AM 15-Jan-2012 013136PM
25-Feb-2011 025334PM 25-Feb-2011 025334PM 25-Feb-2011 025334PM 15-Jan-2012 015030PM
It depends upon how the file arrived at that location and what has happened to it since.
The NtfsDisableLastAccessUpdate applies mostly to the user accessing the file, such as opening, closing, etc. If the file is created in the directory, the Last Accessed time will likely be the same as the creation date. If the file is copied or moved from another location, the date may be different.
The best thing to do is to perform your own testing do verify and document this.
If the file is created in the directory, the Last Accessed time will likely be the same as the creation date. If the file is copied or moved from another location, the date may be different.
Thanks for the prompt reply, yes about to run some test cases - gut feeling says last access date will be last written date if its in the same location, yes if it is copied from another location it will take the file creation date… will be able to confirm post test runs.
Appreciate any suggestions on different test conditions.
Thanks for the prompt reply, yes about to run some test cases - gut feeling says last access date will be last written date if its in the same location,…
I'm not entirely sure that I'm clear on the logic behind this, but I'd love to see your testing results.
Appreciate any suggestions on different test conditions.
Really? I'd think it would be pretty obvious.
I'd think that you'd want to look do the following
Create several files, all in the same location on a system. You can do this quite easily using the echo command and redirection operator. Write a batch file that creates the files, and then outputs the system time.
File1 - create in the target directory, wait a day and access the file (if a text file, use Notepad, etc.)
File2 - same as file1, except make modifications to the file.
File3 - create in the target directory, wait a day, and copy the file to another directory or volume.
File4 - same as file3, except perform a move operation.
Be sure to clearly identify everything you do, to the point that someone else could reproduce your testing methodology. Record all times.
HTH
Question
If a Windows 7 system has last accessed timestamp as disabled and you insert a USB memory stick; will the last access timestamps change on the memory stick?
What happens when you try it?
To be honest it was more of a hyperthetical question, than a practical one.
It was a questioned posed whilst out of the office.
Just wondered if anyone had a quick answer?
Just wondered if anyone had a quick answer?
Yes, but it may take some time, and it may additionally depend on other settings.
(I couldn't make it quicker)
If you want the longer one it is here
http//www.forensicfocus.com/Forums/viewtopic/t=9329/
jaclaz