Notifications
Clear all

Windows' File Access Dates Unreliable

6 Posts
5 Users
0 Likes
2,298 Views
(@jhassell)
Posts: 9
Active Member
Topic starter
 

I have a case in which I need to discuss the unreliability of Access dates. I know a lot and have done lost of experimenting, but I would like articles from others on how the access dates are (mis)managed. Can anyone point me to and such articles? I know they exist, but Google, Forensic Focus, The Sedona Conference haven't revealed anything helpful. Thanks!

 
Posted : 20/10/2019 11:25 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

https://www.sans.org/reading-room/whitepapers/forensics/filesystem-timestamps-tick-36842

https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/

https://dfir.ru/2018/12/16/the-inconsistency-of-last-access-timestamps/

I hope this helps.

 
Posted : 21/10/2019 2:40 am
(@athulin)
Posts: 1156
Noble Member
 

I have a case in which I need to discuss the unreliability of Access dates. I know a lot and have done lost of experimenting, but I would like articles from others on how the access dates are (mis)managed.

It would help if you identified hat kind of unreliability you are looking for, and what kind of quality in the article you expect.

I don't know of any unreliability in last access time stamp myself. There is misinterpretation and inconsistencies, some of which are identified by the already posted references. There's also a considerable reluctance to perform well-designed tests, and to repeat them when new releases of the software platform are released, to ensure the conclusions from those tests still are valid, as well as report the results from such tests in appropriate forums. (Understandable most FAs are not trained researchers.)

The last serious study I've seen is 'Rules of time on NTFS file system', but that applies to XP SP 2, and it can only be used for those use cases that they document (if it can be used at all). After that, all I have are blog posts, and they must generally be ignored from a critical point of view there is no quality assurance inherent in a blog post, so no important conclusions can be based on them. They may be starting points for further research but they are not (as a rule) where you find reliable conclusions.

Where did you search? Did you do a *real* literature search, or did you just Google? I mean … did you go to Science Citation Indexes and comparable references, and look for articles that reference known publications, such as Rules of Time and other?

If you did do all that, that is itself a result. The conclusion from it would presumably be 'Last Access Time is nowhere as well researched and tested as it need to be to draw any scientifically well-founded conclusions from it.' As it happens, that's more or less what I think of as many of the basic areas of computer forensics, so I probably biased in that respect.

It should be noted that the 'truth' of time stamping is available. You license Windows (or perhaps only NTFS) source code – at a price, of course, unless Microsoft can be convinced that the use won't infringe on their commercial prerogatives. Then you study the code, and see when and where and how time stamps stamp. (You may need to do that for several releases to explain observed differences.) It's such a comparatively simple (though expensive) task that it's difficult to understand why it has not been done already. I mean, file system time stamps *are* pretty fundamental to computer forensics, aren't they?

 
Posted : 21/10/2019 6:13 am
(@maysr)
Posts: 3
New Member
 

It depends on which version of Windows you are examining, and which file system.

As of Vista, Microsoft by default disables the updating of the Last Access timestamp. This was done a to improve performance (the fewer writes that are made to the hard drive, the faster the system performs).

You can verify this by looking at the SYSTEM registry hive

%systemroot%\system32\config\system ControlSet00#\Control\Filesystem NtfsDisableLastAccessUpdate. If set to 1, then the Last Accessed timestamps will not be updated.

 
Posted : 06/11/2019 6:11 pm
(@thefuf)
Posts: 262
Reputable Member
 

It depends on which version of Windows you are examining, and which file system.

As of Vista, Microsoft by default disables the updating of the Last Access timestamp. This was done a to improve performance (the fewer writes that are made to the hard drive, the faster the system performs).

You can verify this by looking at the SYSTEM registry hive

%systemroot%\system32\config\system ControlSet00#\Control\Filesystem NtfsDisableLastAccessUpdate. If set to 1, then the Last Accessed timestamps will not be updated.

Actually, the last access updates are back for some installations of recent versions of Windows 10. And in the next release, they will be enabled by default in all installations (if Insider Preview versions don't lie).

 
Posted : 06/11/2019 7:51 pm
(@jhassell)
Posts: 9
Active Member
Topic starter
 

Thanks to all. I'd been thinking about a general discussion, but I think going after the specific version will be better. Obviously there could have been other versions on the device, but I should be able to deal with that.

Thanks again,
Johnette

 
Posted : 07/11/2019 12:43 am
Share: