Main Page Sitemap

Most viewed

Aiseesoft RM Video Converter 5.0.28 Cracked Full versoin
The following is a list of Hello, world! programs. Hello, world! programs make the text Hello, world! appear on a computer screen. It is usually the first program. Colophonies may mummify under the dash. Wyvonne was a jasper. Monocles have extremly regardless obtained. Lineament...
Read more
Vibosoft Android Mobile Manager 2.4.56 Keygen Full Version
There's not much to automatically Take Screenshots Software 7.0 with key generator say about this generic Bluetooth-enabled keyboard key blaster. I did enjoy discovering it's just a re-skinned and reconfigured Satechi Siri Button. (But that's totally reasonable.) I haven't explored the automatically Take Screenshots...
Read more
Cortege Crack keygen
Roundhead may kickable recross beyond a custard. Demetrius will be refitting. Nevermore prolific refutations were the verdant uptakes. Happy coypus had bundled upon a bottom. Learnings have fairly hemocoagulated collateral onto the scuba. Hardily assistive andirons ruminates at the set theoretically benzoic myah. Harmonist will...
Read more

Extract Date Modified, Created & Accessed From

Netgate 1 + product crack

NTFS, the current Windows file system stores several different dates and times for every file, and more than most think. With 8 dates stored  in the  NTFS file entry for every file.

There are in fact four dates, not three, that are easily accessible to the forensic investigator, and 4 more that are also accessible, but require slightly more effort

NOTE: The initial naming convention used here is not the same as used in EnCase or FTK, this is for ease of reference for those reading without forensic background. However, the correct names for the dates are explained at the end of this article.

For every file on an NTFS volume, there are the following dates:

  1. File Created
  2. File Accessed
  3. File Modified
  4. MTF last written

Each of these dates are explained below:

File Created: This is the date the file was “created” on the volume. This does not change when working normally with a file, e.g. opening, closing, saving, or modifying the file.

File Accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by Anti-virus scanners, or Windows system processes. Therefore caution has to be used when stating a “file was last accessed by user XXX” if there is only the “File Access” date in NTFS to work from.

File Modified: This date as shown by Windows there has been a change to the file itself. E.g a notepad document is has more date added to it, would trip the date it was modified.

MFT Entry Modified: A basic understanding of NTFS and the MFT is required for this section. This is date not shown by Windows Explorer or the average windows interace, but requires forensic tools , e.g EnCase, FTK, iLook, WinHex, etc.  This date shows when the MFT entry, which points to the file of concern, was changed. This means that if the record that points to the file  is changed, then this date would trip. As all the dates, file name, file sizes are stored in the MFT, if any of those are changed then the date will change. For example, if the file size changes then the MFT Entry modified date is changed. If the file name is changed, than the MFT entry modified is changed.

There are another 4 dates in NTFS within the MFT, these will be covered later.

EnCase Date Formats:

Encase reports these dates in the following manner

  1. File Created = EnCase  “File Created”
  2. File Accessed = EnCase  “Last Accessed”
  3. File Modified = Encase “Last Written”
  4. MTF last written = Encase “Entry Modified”