Re: Lnk files

[Alex Fiuvertiz <fiuvertiz () gmail com>]

Hi,

We´re using EnCase.
Thank you both for your input. I have tested the AV but it didn't
update the property when doing a system scan. Perhaps different
between differnt versions.
I'll dig deeper into this and perhaps return with some follow-up
questions later.

Cheers, Alex



2009/2/9 Murda Mcloud <murdamcloud () bigpond com>:
> These may help:
>
> http://www.forensicfocus.com/link-file-evidentiary-value
>
> http://windowsir.blogspot.com/2007/12/windows-shortcut-lnk-files.html
>
> What are you using to look at the MAC times?
>
> If I right click and check the properties of a file, I will change the date
> accessed property.
>
> > > -----Original Message-----
> > > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > > On Behalf Of Alex Fiuvertiz
> > > Sent: Friday, February 06, 2009 11:15 PM
> > > To: security-basics () securityfocus com
> > > Subject: Lnk files
> > >
> > > Hi,
> > >
> > > On windows you have a "recent" folder (example C:\Documents
> > > and...\user\recent) which contains .lnk files.
> > > What operation on windows can cause the property "Date Accessed" on
> > > multiple files in this directory to change timestamp, but the "Date
> > > Modified" and "Date Created" are not altered?
> > >
> > > When using roaming profiles the "Date Created" is also changed so that
> > > is not the case. A search doesn't either generate this phenomenon. And
> > > not AV scans.
> > >
> > > Appreciate your thoughts and ideas.
> > >
> > > / Alex