tag:blogger.com,1999:blog-6259255761169812061.post7314987208638983953..comments2023-08-15T20:48:47.517+10:00Comments on digfor: Vista Timestampsecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-6259255761169812061.post-27967528470552072422009-07-28T08:48:43.632+10:002009-07-28T08:48:43.632+10:00My guess is that the issue is to do with compound ...My guess is that the issue is to do with compound files and this also relates to Jpeg, which could be in compound image file format (Jpeg 2000). Ordinary files behave as per my diagrams; no 'Accessed Time' is change when file is Accessed. <br />Normally no 'Accessed Time' is changed when the file is modified, but if it is a compound or possibly some image files, ‘Accessed Time’ can be the time of ‘Modification’. <br /><br />I agree that further testing needs to be done to clarify this issue.ecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-8356424765669048702009-07-28T05:05:38.067+10:002009-07-28T05:05:38.067+10:00Hex - if it WERE possible to define the testable c...Hex - if it WERE possible to define the testable circumstances, I agree accessed time may be useful in those circumstances. <br /><br />Andre - Your statement "‘Access Time’ value doesn’t change on accessing or modifying the file" is incorrect.<br /><br />My statement "Last Accessed IS updated when a file is modified" is incorrect.<br /><br />Both statements need qualification. <br /><br />In respect of a jpg file if I open in paint, edit and save the accessed is the same as modified, if I open a bmp in paint and do the same accessed in unchanged.<br /><br />Do you find the same?Harrynoreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-24721992721444530602009-07-27T16:20:50.345+10:002009-07-27T16:20:50.345+10:00I would have thought that if Last Accessed times a...I would have thought that if Last Accessed times are only updated under some testable circumstances in non-tweaked Vista, that they might in fact be useful from an forensic perspective now, and not the 'moot point' they have been to date.Hex Editrixhttps://www.blogger.com/profile/03357618485595582767noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-78212547892393814252009-07-27T14:08:01.451+10:002009-07-27T14:08:01.451+10:00No Access time is changed on my machine when “cert...No Access time is changed on my machine when “certain applications (like Word) ... OPEN A FILE.” Modified COMPOUND files behave differently.<br />When MS Word opens a native document, a Transacted mode is always used. This is true unless it is the temporary file that is being opened. Direct mode is used in this case. <br />In the transacted mode MS Office opens the file for writing, but it needs the ability to restore/undo the changes. This is done by creating other files ~something.tmp where all the changes are stored. When these changes are kept, these files are merged with the original file and the new version of the document is saved, if the changes are discarded, then ~something.tmp files are simply deleted and the original remains unchanged. I haven’t researched this area in great details, but this is enough for me to treat COMPUND files differently. <br />I haven’t noticed anything different with jpeg files though, after a few tests (modifications) Accessed time hasn’t changed.ecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-54915999383642934352009-07-27T02:01:05.212+10:002009-07-27T02:01:05.212+10:00That is interesting, as on my Vista (Ultimate) mac...That is interesting, as on my Vista (Ultimate) machine, Word documents have an updated Access time on Modification, as do Excel spreadsheets. (Office 2003). A number of jpeg files have an access time updated when modified. It might be application specific. A txt file modfied in notepad does not get access date updated but it does in Word.<br /><br />Whilst this might be interesting from a point of view of knowing what is going on, it is largely a mute point in practical forensic terms.Harrynoreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-77903120275621987172009-07-24T23:24:39.759+10:002009-07-24T23:24:39.759+10:00Not on my Vista machine anyway :-)Not on my Vista machine anyway :-)ecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-72944395480842392402009-07-23T06:35:01.607+10:002009-07-23T06:35:01.607+10:00Perhaps certain applications (like Word) are chang...Perhaps certain applications (like Word) are changing the timestamps when they open a file.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-69621632835360142832009-07-16T05:52:24.813+10:002009-07-16T05:52:24.813+10:00This is easily resolved - some files' last acc...This is easily resolved - some files' last accessed is updated and others' aren't.<br /><br />How that is determined I do not yet know.Harrynoreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-37585777685047451502009-07-10T10:40:01.655+10:002009-07-10T10:40:01.655+10:00Andre is right. Last Accessed IS NOT updated when ...Andre is right. Last Accessed IS NOT updated when a file is modified.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-45822962823844143352009-07-09T12:29:52.300+10:002009-07-09T12:29:52.300+10:00Hi Harry,
Last 'Accessed' value is not up...Hi Harry,<br /><br />Last 'Accessed' value is not updated when the actual file is modified. Only 'Modified' value gets updated. As I said before, a quick and simple test would confirm that. It has been tested with text (.txt) and .bmp files on Vista SP1 64bit. <br /><br />It looks like link files behave differently. I wasn't referring to “The Meaning of Linkfiles ..” paper in particular, however I found that my tests with 'Accessed' time differ with findings mentioned in this paper. <br /><br />Perhaps we should investigate this further, please email me if you interested and we can compare our notes/methods.<br /><br />Regards Andreecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-61693326444494148542009-07-09T06:32:10.465+10:002009-07-09T06:32:10.465+10:00Andre
It is not clear what NtfsDisableLastAccessU...Andre<br /><br />It is not clear what NtfsDisableLastAccessUpdate actually means, according to TechNet in one instance the value of 0 is defined to mean,<br />“updates the last-accessed timestamp of a file whenever that file is opened, “<br />and in another,<br />“when listing directories, NTFS updates the last-access timestamp on each directory it detects, and it records each time change in the NTFS log.”<br />In reality it appears to be a combination of the two.<br />I have seen numerous references in forensic papers and presentations to the effect of this registry change in Vista, including one comment that “NtfsDisableLastAccessUpdate is now 1, which means no last access timestamp will be written at all”.<br />Disabling last access update does not mean that the Accessed Date on files does not get updated at all; it means that it does not get updated on directory listing or file opening, but last accessed is updated when a file is modified and when a file is moved between volumes.<br /><br />So in respect of your post Last Accessed IS updated when a file is modified.<br /><br />regards <br /><br />HarryHarrynoreply@blogger.com