@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

NTFS last access time and 1 hour

Note:I translated Japanese into English using Google Translate.
Thank you, Google.  

Summary:

  1. NTFS's Last Access Time resolution is one hour. ( I started the test on Win 10 ver 1803.)
  2. "fsutil file layout" command and PowerShell displays the latest timestamp.
  3. Displaying properties in Explorer may display old timestamps.(It is not sufficient verification.)
  4. @errno_fail comments on the timestamp in memory. Thank you!

---

The resolution of NTFS last access time is described as 1 hour.

File Times - Windows applications | Microsoft Docs

The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access.

Confirm Last Access Time update on Win 10 ver 1803. (DisableLastAccess = 2 (System Managed, Disabled))

Please note that it is not a sufficient verification method.

Check the time stamp of the sample image file with the fsutil command.
2018/12/09 11:27:05 UTC

f:id:hideakii:20181210185658p:plain

Display properties in Windows Explorer. You can check the same timestamp as fsutil command. (The time zone of the verification environment is set to UTC.)

f:id:hideakii:20181210185750p:plain

 

Again, display the time stamp with the fsutil command.

f:id:hideakii:20181210194723p:plain

Display properties in Windows Explorer.

Oh? , Explorer displays a different Last Access Time than the FILE record.

f:id:hideakii:20181210194841p:plain

I closed Windows Explorer and confirmed it again, but it was the same timestamp. 2018/12/10 10:01:46 UTC

Why does Explorer display old time stamp(Last Access Time)?

 

I tested it again. Check the timestamp in the property.

f:id:hideakii:20181210201441p:plain

Check the time stamp with the fsutil command. 

f:id:hideakii:20181210201520p:plain

Double check, I confirmed timestamp with FTK Imager

f:id:hideakii:20181210201858p:plain

I confirmed the timestamp of $I30. I confirmed the same time stamp as FTK Imager.

2018/12/10 11:11:56.6756334 UTC

f:id:hideakii:20181210202236p:plain

???,

Is the fsutil command displaying the latest information and it is different from the value on the disk?

When I checked the property again, I noticed that the time stamp was updated.

f:id:hideakii:20181210203217p:plain

The Last Access Time has also been updated in the display of FTK Imager.

f:id:hideakii:20181210203428p:plain

It is unknown which access the Last Access Time was updated.
I need to do further verification.

 

Last Access Time Verification of resolution is a bit difficult. ;-)

<2018/12/11 add>
Thank you for your comment.

 <2018/12/16 add>

I confirmed the Last Access Time in PowerShell. PowerShell displays the latest timestamp.

f:id:hideakii:20181216092120p:plain

f:id:hideakii:20181216092321p:plain

f:id:hideakii:20181216092508p:plain

I checked the Last Access Time with PowerShell and the Last Access Time was not updated.

 

Verification environment: Windows 10 1803

Reference URL:

 

f:id:hideakii:20181210184955j:plain