File Open Activity ...
 
Notifications
Clear all

File Open Activity - Explanations

9 Posts
5 Users
0 Likes
749 Views
(@cassielynn)
Posts: 3
New Member
Topic starter
 

For activity History "Open file or folder" C\Users\xxx\Downloads\FILENAME.

If the user did not do this file/open…what could be an explanation as to why this is showing as user activity in log files?

 
Posted : 12/05/2019 3:19 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Which specific “log” file are you referring to?

DateLastModified could be the last date and time a person made a significant change to a specific file.

 
Posted : 12/05/2019 3:53 pm
(@cassielynn)
Posts: 3
New Member
Topic starter
 

LNK file shows last access timestamp…and IE history shows a file accessed. So..trying to figure out when these two items indicate that this video file was opened or accessed..but we know that it was not…what would be an explanation for these artifacts?
Thanks for any assistance.

 
Posted : 13/05/2019 12:20 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

A LNK file, or shortcut, points to another file, typically an executable file; the executable able file being the actual program file, not just a desktop shortcut icon pointing to the executable file.

Many program executable files also have companion log files detailing a timeline of human activity. Windows OS has event log files.

If you cannot figure it out after this many hints Forensics might not be for you.

 
Posted : 13/05/2019 12:41 am
(@mrevoluter)
Posts: 14
Active Member
 

Hieee cassielynn,
1. First thing file access is nothing but opening a file in general form, but in a forensically access could be anything( may be by an antivirus for scanning,the access time changes).
2. So, we can't confirm accessing means file opening.
3. Most appropriate way is following the LNK files which are created when a particular is executed ( could be opened, pasted etc kind of general way of speaking accessed).
4. Where was you could follow the event logs.
Event is 4656, 4658, 4660 & 4663 ( for Windows).

 
Posted : 13/05/2019 2:58 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

LNK file shows last access timestamp…

You mentioned "C\Users", so I'm guessing that this is a Windows 7 or Windows 10 system. As such, file system last accessed time stamps are less than useful, as updating them is disabled by default

https://forums.guru3d.com/threads/ntfs-disable-last-access-update-file-time-stamp-windows-10-april-1803-update.421228/

and IE history shows a file accessed. So..trying to figure out when these two items indicate that this video file was opened or accessed..but we know that it was not…what would be an explanation for these artifacts?
Thanks for any assistance.

Without knowing a bit more about what you're looking at, and what you're hoping to prove/disprove, it's tough to really provide any sort of guidance or insight.

What are you looking at that illustrates your finding with respect to IE? I'm asking, as there may be a misinterpretation of the data.

Do you see entries in the user's RecentDocs subkeys, or in the JumpLists?

HTH

 
Posted : 13/05/2019 3:07 pm
(@thefuf)
Posts: 262
Reputable Member
 

You mentioned "C\Users", so I'm guessing that this is a Windows 7 or Windows 10 system. As such, file system last accessed time stamps are less than useful, as updating them is disabled by default

On Windows 10, they can be enabled by default if a system volume is <= 128 GiB.

 
Posted : 13/05/2019 3:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Cool, I wasn't aware of that. I have volumes that are much more than 128 Gb, and the functionality is disabled.

Do you have documentation that you can point to?

Thanks!

 
Posted : 14/05/2019 12:18 am
(@thefuf)
Posts: 262
Reputable Member
 

Cool, I wasn't aware of that. I have volumes that are much more than 128 Gb, and the functionality is disabled.

Do you have documentation that you can point to?

Thanks!

https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/

 
Posted : 14/05/2019 8:38 am
Share: