Don't want to be obvious, but has anyone else spotted that, under NT4 at least, the "last accessed" date/time of a file is the date/time you inspected the "last accessed" date/time? Yes, the last access is always *now*. How helpful! This *does* mean that potentially valuable evidence may be destroyed by checking it through the OS. Caution needs to be exercised. Are there any tool which will read the MFT and extract this info without changing it? Is there any authoritative documentation of the detailed structure of the MFT which would allow such a tool to be written? Michael D. Barwise, BSc, IEng, MIIE Computer Security Awareness http://www.ComputerSecurityAwareness.com Addressing the Human Equation in Information Security
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:10:47 PDT