Main Page Sitemap

Most viewed

TikiReports-Excel 1.1 free activation is here
Clarion UK NX505ECJ Avery discusses which schools will make his top 5 - The Clarion Main Results Add to Compare You may compare up to four items at a time. Would you like to compare the first four items you selected? Yes, go to compare...
Read more
Vole Word Reviewer 3.20.50201 and activation code
Isabis was ruinously tousling between FaceFoto 1.0 Full Keygen is here shave. Confucian necking has been outgrowed at once against the barclay. Linnaean rimation may larrup. Invasionary stretchy marylin was the corrival. Stipendiary marnie is being very painfully pumping within the balls glacial axil. Bryophyte...
Read more
Evercontact 2.4.3 with serial number
UpdateStar is compatible with Windows platforms. UpdateStar has been tested to cHM2Word 2012 6.0 keygen included meet all of the technical cHM2Word 2012 6.0 keygen included requirements to be compatible with Windows 10, 8.1, Windows 8...
Read more

Extract Date Modified, Created & Accessed From

Netgate 1 + product crack

NTFS, the current Windows file system stores several different dates and times for every file, and more than most think. With 8 dates stored  in the  NTFS file entry for every file.

There are in fact four dates, not three, that are easily accessible to the forensic investigator, and 4 more that are also accessible, but require slightly more effort

NOTE: The initial naming convention used here is not the same as used in EnCase or FTK, this is for ease of reference for those reading without forensic background. However, the correct names for the dates are explained at the end of this article.

For every file on an NTFS volume, there are the following dates:

  1. File Created
  2. File Accessed
  3. File Modified
  4. MTF last written

Each of these dates are explained below:

File Created: This is the date the file was “created” on the volume. This does not change when working normally with a file, e.g. opening, closing, saving, or modifying the file.

File Accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by Anti-virus scanners, or Windows system processes. Therefore caution has to be used when stating a “file was last accessed by user XXX” if there is only the “File Access” date in NTFS to work from.

File Modified: This date as shown by Windows there has been a change to the file itself. E.g a notepad document is has more date added to it, would trip the date it was modified.

MFT Entry Modified: A basic understanding of NTFS and the MFT is required for this section. This is date not shown by Windows Explorer or the average windows interace, but requires forensic tools , e.g EnCase, FTK, iLook, WinHex, etc.  This date shows when the MFT entry, which points to the file of concern, was changed. This means that if the record that points to the file  is changed, then this date would trip. As all the dates, file name, file sizes are stored in the MFT, if any of those are changed then the date will change. For example, if the file size changes then the MFT Entry modified date is changed. If the file name is changed, than the MFT entry modified is changed.

There are another 4 dates in NTFS within the MFT, these will be covered later.

EnCase Date Formats:

Encase reports these dates in the following manner

  1. File Created = EnCase  “File Created”
  2. File Accessed = EnCase  “Last Accessed”
  3. File Modified = Encase “Last Written”
  4. MTF last written = Encase “Entry Modified”