Saturday, July 4, 2009

Vista Timestamps

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:
  • Correlate events from different sources.
  • Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.


The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • Value Name: NtfsDisableLastAccessUpdate
  • Data Type: REG_DWORD (DWORD Value)
  • Value Data: set 1 to prevent the Last Access time stamp updates.
This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing and in most circumstances modifying the file would leave 'Acessed Time' unchanged. It will only change when you copy the file or move it to another volume.



Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.

11 comments:

Harry said...

Andre

It is not clear what NtfsDisableLastAccessUpdate actually means, according to TechNet in one instance the value of 0 is defined to mean,
“updates the last-accessed timestamp of a file whenever that file is opened, “
and in another,
“when listing directories, NTFS updates the last-access timestamp on each directory it detects, and it records each time change in the NTFS log.”
In reality it appears to be a combination of the two.
I have seen numerous references in forensic papers and presentations to the effect of this registry change in Vista, including one comment that “NtfsDisableLastAccessUpdate is now 1, which means no last access timestamp will be written at all”.
Disabling last access update does not mean that the Accessed Date on files does not get updated at all; it means that it does not get updated on directory listing or file opening, but last accessed is updated when a file is modified and when a file is moved between volumes.

So in respect of your post Last Accessed IS updated when a file is modified.

regards

Harry

eco said...

Hi Harry,

Last 'Accessed' value is not updated when the actual file is modified. Only 'Modified' value gets updated. As I said before, a quick and simple test would confirm that. It has been tested with text (.txt) and .bmp files on Vista SP1 64bit.

It looks like link files behave differently. I wasn't referring to “The Meaning of Linkfiles ..” paper in particular, however I found that my tests with 'Accessed' time differ with findings mentioned in this paper.

Perhaps we should investigate this further, please email me if you interested and we can compare our notes/methods.

Regards Andre

Anonymous said...

Andre is right. Last Accessed IS NOT updated when a file is modified.

Harry said...

This is easily resolved - some files' last accessed is updated and others' aren't.

How that is determined I do not yet know.

Anonymous said...

Perhaps certain applications (like Word) are changing the timestamps when they open a file.

eco said...

Not on my Vista machine anyway :-)

Harry said...

That is interesting, as on my Vista (Ultimate) machine, Word documents have an updated Access time on Modification, as do Excel spreadsheets. (Office 2003). A number of jpeg files have an access time updated when modified. It might be application specific. A txt file modfied in notepad does not get access date updated but it does in Word.

Whilst this might be interesting from a point of view of knowing what is going on, it is largely a mute point in practical forensic terms.

eco said...

No Access time is changed on my machine when “certain applications (like Word) ... OPEN A FILE.” Modified COMPOUND files behave differently.
When MS Word opens a native document, a Transacted mode is always used. This is true unless it is the temporary file that is being opened. Direct mode is used in this case.
In the transacted mode MS Office opens the file for writing, but it needs the ability to restore/undo the changes. This is done by creating other files ~something.tmp where all the changes are stored. When these changes are kept, these files are merged with the original file and the new version of the document is saved, if the changes are discarded, then ~something.tmp files are simply deleted and the original remains unchanged. I haven’t researched this area in great details, but this is enough for me to treat COMPUND files differently.
I haven’t noticed anything different with jpeg files though, after a few tests (modifications) Accessed time hasn’t changed.

Hex Editrix said...

I would have thought that if Last Accessed times are only updated under some testable circumstances in non-tweaked Vista, that they might in fact be useful from an forensic perspective now, and not the 'moot point' they have been to date.

Harry said...

Hex - if it WERE possible to define the testable circumstances, I agree accessed time may be useful in those circumstances.

Andre - Your statement "‘Access Time’ value doesn’t change on accessing or modifying the file" is incorrect.

My statement "Last Accessed IS updated when a file is modified" is incorrect.

Both statements need qualification.

In respect of a jpg file if I open in paint, edit and save the accessed is the same as modified, if I open a bmp in paint and do the same accessed in unchanged.

Do you find the same?

eco said...

My guess is that the issue is to do with compound files and this also relates to Jpeg, which could be in compound image file format (Jpeg 2000). Ordinary files behave as per my diagrams; no 'Accessed Time' is change when file is Accessed.
Normally no 'Accessed Time' is changed when the file is modified, but if it is a compound or possibly some image files, ‘Accessed Time’ can be the time of ‘Modification’.

I agree that further testing needs to be done to clarify this issue.