Security Basics mailing list archives
Re: Lnk files
From: Alex Fiuvertiz <fiuvertiz () gmail com>
Date: Mon, 9 Feb 2009 10:21:17 +0100
Hi, We´re using EnCase. Thank you both for your input. I have tested the AV but it didn't update the property when doing a system scan. Perhaps different between differnt versions. I'll dig deeper into this and perhaps return with some follow-up questions later. Cheers, Alex 2009/2/9 Murda Mcloud <murdamcloud () bigpond com>:
These may help: http://www.forensicfocus.com/link-file-evidentiary-value http://windowsir.blogspot.com/2007/12/windows-shortcut-lnk-files.html What are you using to look at the MAC times? If I right click and check the properties of a file, I will change the date accessed property.-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alex Fiuvertiz Sent: Friday, February 06, 2009 11:15 PM To: security-basics () securityfocus com Subject: Lnk files Hi, On windows you have a "recent" folder (example C:\Documents and...\user\recent) which contains .lnk files. What operation on windows can cause the property "Date Accessed" on multiple files in this directory to change timestamp, but the "Date Modified" and "Date Created" are not altered? When using roaming profiles the "Date Created" is also changed so that is not the case. A search doesn't either generate this phenomenon. And not AV scans. Appreciate your thoughts and ideas. / Alex
Current thread:
- Lnk files Alex Fiuvertiz (Feb 06)
- RE: Lnk files Murda Mcloud (Feb 09)
- Re: Lnk files Alex Fiuvertiz (Feb 09)
- RE: Lnk files Murda Mcloud (Feb 09)