i need help for windows 8 , i work on case where is chaos , is installed window 8 ,but is still there other information on previously installed system.
when i sort by last accessed time in encase i see that last activity is 2 days after the computer is shut down , so my question is how to see what is happen and how to be 100% sure.
please if somebody know to explain in steps what i need to do to confirm the data.
do you see access dates 2 days after the computers "shutdown date" taken from the registry? Or the last date that you know the computer was on
Did you image it two days later and what method did you use? Or was it turned on in custody?
when i sort by last accessed time in encase i see that last activity is 2 days after the computer is shut down , so my question is how to see what is happen and how to be 100% sure.
First, it's not really clear what you are looking *for*.
Second, when you say "sort by last access time", what are you referring to? As of Vista, Windows systems no long update file system last access times by default.
Third, how were you able to determine when the computer was "shut down"? Via the Windows Event Log? Have you verified that is when it was, in fact, shut down?
