RE: Registry Key LastWrite times

From: Michael D. Barwise, BSc, IEng, MIIE (mikeat_private)
Date: Thu May 31 2001 - 08:51:32 PDT

Next message: Troy Larson: "RE: Registry Key LastWrite times"

Previous message: H C: "RE: Registry Key LastWrite times"
In reply to: Frank Heyne: "RE: Registry Key LastWrite times"
Next in thread: H Carvey: "RE: Registry Key LastWrite times"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Don't want to be obvious, but has anyone else spotted that, under NT4 at 
least, the "last accessed" date/time of a file is the date/time you inspected 
the "last accessed" date/time? Yes, the last access is always *now*. How 
helpful! This *does* mean that potentially valuable evidence may be 
destroyed by checking it through the OS. Caution needs to be exercised. 
Are there any tool which will read the MFT and extract this info without 
changing it? Is there any authoritative documentation of the detailed 
structure of the MFT which would allow such a tool to be written?




Michael D. Barwise, BSc, IEng, MIIE
Computer Security Awareness
http://www.ComputerSecurityAwareness.com

Addressing the Human Equation in Information Security

Next message: Troy Larson: "RE: Registry Key LastWrite times"
Previous message: H C: "RE: Registry Key LastWrite times"
In reply to: Frank Heyne: "RE: Registry Key LastWrite times"
Next in thread: H Carvey: "RE: Registry Key LastWrite times"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:10:47 PDT