RE: Registry Key LastWrite times

From: Michael D. Barwise, BSc, IEng, MIIE (mikeat_private)
Date: Thu May 31 2001 - 08:51:32 PDT

  • Next message: Troy Larson: "RE: Registry Key LastWrite times"

    Don't want to be obvious, but has anyone else spotted that, under NT4 at 
    least, the "last accessed" date/time of a file is the date/time you inspected 
    the "last accessed" date/time? Yes, the last access is always *now*. How 
    helpful! This *does* mean that potentially valuable evidence may be 
    destroyed by checking it through the OS. Caution needs to be exercised. 
    Are there any tool which will read the MFT and extract this info without 
    changing it? Is there any authoritative documentation of the detailed 
    structure of the MFT which would allow such a tool to be written?
    
    
    
    
    Michael D. Barwise, BSc, IEng, MIIE
    Computer Security Awareness
    http://www.ComputerSecurityAwareness.com
    
    Addressing the Human Equation in Information Security
    



    This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:10:47 PDT