±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35628
New Yesterday: 2 Visitors: 201

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Way to tell what program or process accessed a file?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

vrocco
Member
 

Way to tell what program or process accessed a file?

Post Posted: May 24, 13 22:58

Is there any way in Windows to determine what program or process last accessed a file?

If I have a file that I can see was accessed during the time a machine was compromised, can I tell if it was accessed by (for example) a virus scanner or an ftp program?

Thanks in advance.  
 
  

twjolson
Senior Member
 

Re: Way to tell what program or process accessed a file?

Post Posted: May 24, 13 23:48

Short answer : No.

Long answer : Nope.

You could create a super timeline (log2timeline, 4n6time) and see what executables were run (prefetch) at or near the time in question. But even if you see an executable being run and the timestamp being updated right after, you could never say definitively that it was the executable that did so.

You might get lucky with some log files. If, for instance, the virus scanner logged that it scanned a file at 11:57am, and the last accessed time is 11:57am, there is good odds those two are related.

I reserve the right to change my answer depending on the file in question, and the program in question.

This also assumes that Last Access time updating is on. If it is not, the file could have been accessed a hundred times before, during, and after the last access timestamp, and you'd never know.  
 
  

keydet89
Senior Member
 

Re: Way to tell what program or process accessed a file?

Post Posted: May 25, 13 03:46

While I agree with twjolson, there MAY be ways to tell which program may have accessed the file. However, there are some major caveats...depending upon which version of Windows you're working with, which file you're referring to, etc.

Prefetch analysis may reveal something useful:
windowsir.blogspot.com...sited.html

Create a timeline of system activity, including data from the user's Registry hives. If Windows 7, consider including the USN Change Journal in your timeline. Look at the activity 'near' the last accessed time of the file in question to see what may have occurred around the same time.

Do a search across the entire system for the file name. You're sure to get a hit in the $MFT, but check for hits in the user shellbags, as well.

None of these are definitive, only possibilities.  
 
  

twjolson
Senior Member
 

Re: Way to tell what program or process accessed a file?

Post Posted: May 25, 13 09:15

- keydet89
If Windows 7, consider including the USN Change Journal in your timeline. Look at the activity 'near' the last accessed time of the file in question to see what may have occurred around the same time.


I have not dug too deep into the $UsnJrnl, so please correct me if I am wrong.

That logs changes. But the original question asked about last access times. If a file was accessed, but not changed, why would it be in the $UsnJrnl file?

To clarify my post a little. Computers are so 'busy', as you well know. Even if the poster found an executable what was launched at the same time, or near, the file in question, I would be hesitant to ever say that one caused the other. Windows has many, many processes going on, and you could never say that any particular one (with some caveats) accessed a particular file.

You could theorize, of course, but coming up with theories is easy (and kind of pointless in our profession).  
 
  

keydet89
Senior Member
 

Re: Way to tell what program or process accessed a file?

Post Posted: May 25, 13 15:49

- twjolson

That logs changes. But the original question asked about last access times. If a file was accessed, but not changed, why would it be in the $UsnJrnl file?


I didn't say that it would be...remember, I said these are possibilities. Given the nature of the original question, I was offering up a possibility, in case there was more than just an access to the file.

- twjolson

To clarify my post a little. Computers are so 'busy', as you well know. Even if the poster found an executable what was launched at the same time, or near, the file in question, I would be hesitant to ever say that one caused the other. Windows has many, many processes going on, and you could never say that any particular one (with some caveats) accessed a particular file.


Agreed. Like I said, "possibilities".

- twjolson

You could theorize, of course, but coming up with theories is easy (and kind of pointless in our profession).


Of course...if that is all that is done. However, there is considerable value in proving or disproving those theories in order to further your examination.  
 
  

armresl
Senior Member
 

Re: Way to tell what program or process accessed a file?

Post Posted: May 27, 13 03:04

When I first started testifying I learned to stay away from words like absolutely, never, not possible. I would go and watch trials and see people get shredded when they painted themselves into a corner and tried to leave a small route out by saying "with some caveats"

Never means never, you can't apply caveats to never. If you don't believe me, try it the next time you testify where there is an expert on the other side.


To clarify my post a little. Computers are so 'busy', as you well know. Even if the poster found an executable what was launched at the same time, or near, the file in question, I would be hesitant to ever say that one caused the other. Windows has many, many processes going on, and you could never say that any particular one (with some caveats) accessed a particular file.

- twjolson
- keydet89
If Windows 7, consider including the USN Change Journal in your timeline. Look at the activity 'near' the last accessed time of the file in question to see what may have occurred around the same time.



You could theorize, of course, but coming up with theories is easy (and kind of pointless in our profession).

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 

Page 1 of 1