RE: Windows 2000 Last accessed file time stamp

["Joel A. Folkerts" <jfolkert () hiwaay net>]

Ken-

 Although I don't think this is your situation -- if the partition in
question is Fat32, you won't see "Last Accessed" times. Also, if the drive
was properly imaged, you won't see any modifications to your files or their
attributes.

-Joel

-----Original Message-----
From: Ken Pedigo [mailto:kpedigo () gmail com] 
Sent: Thursday, December 08, 2005 9:04 AM
To: security-basics () securityfocus com
Subject: Windows 2000 Last accessed file time stamp

I looking at a computer that was accessed while someone was on vacation. We
have noticed in the event viewer there are events for a system start up and
for a shutdown on specific dates. The "Last Accessed" tab in Windows
explorer is showing that these files were accessed on 12-2-2005 at 12:00 am.
I'm seeing that the time never changes on any of the files accessed. I'm
trying to figure out what was accessed on the system and why this time stamp
is wrong.

I'm thinking that if someone removed the drive and made an image of the
drive that the time stamp would remain unchanged. I'm not sure what would
happen if the drive was placed in a computer running XP or Server 2003. I
ran a test on another system that is also running WIN2K, but the time stamps
are fine. The access times are scattered. I'm also noticing that not every
file in every directory was accessed on this day. I also ran afind on the
system, afind did not show any conclusive information.

Any help would be appreciated.

Thanks
Ken