Security Basics mailing list archives
RE: Windows 2000 Last accessed file time stamp
From: "Joel A. Folkerts" <jfolkert () hiwaay net>
Date: Sun, 11 Dec 2005 08:15:21 +0100
Ken- Although I don't think this is your situation -- if the partition in question is Fat32, you won't see "Last Accessed" times. Also, if the drive was properly imaged, you won't see any modifications to your files or their attributes. -Joel -----Original Message----- From: Ken Pedigo [mailto:kpedigo () gmail com] Sent: Thursday, December 08, 2005 9:04 AM To: security-basics () securityfocus com Subject: Windows 2000 Last accessed file time stamp I looking at a computer that was accessed while someone was on vacation. We have noticed in the event viewer there are events for a system start up and for a shutdown on specific dates. The "Last Accessed" tab in Windows explorer is showing that these files were accessed on 12-2-2005 at 12:00 am. I'm seeing that the time never changes on any of the files accessed. I'm trying to figure out what was accessed on the system and why this time stamp is wrong. I'm thinking that if someone removed the drive and made an image of the drive that the time stamp would remain unchanged. I'm not sure what would happen if the drive was placed in a computer running XP or Server 2003. I ran a test on another system that is also running WIN2K, but the time stamps are fine. The access times are scattered. I'm also noticing that not every file in every directory was accessed on this day. I also ran afind on the system, afind did not show any conclusive information. Any help would be appreciated. Thanks Ken
Current thread:
- Windows 2000 Last accessed file time stamp Ken Pedigo (Dec 08)
- Re: Windows 2000 Last accessed file time stamp Khalil N. Zamai (Dec 08)
- RE: Windows 2000 Last accessed file time stamp Joel A. Folkerts (Dec 12)
- <Possible follow-ups>
- RE: Windows 2000 Last accessed file time stamp Joshua Taylor (Dec 08)