@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

NTFS last access time and 1 hour (3)

Note:I translated Japanese into English using Google Translate.
Thank you, Google.  

Summary:

  1. I confirmed that the latest Last Access Time is written to disk by accessing the file after 1 hour has elapsed.
  2. After one hour elapsed, when shutting down without accessing the file, I did not check whether Last Access Time on memory is written to disk.
    <2018/12/16 Add>
    The latest Last Access Time was written to disk by shutdown.
    In the update of the Last Access Time, the MFT record time stamp was not updated.
  3. This verification had to repeat the same thing over and over....And I still know that it is not enough.

---

I continue to test last access time on the Win 10 1803 environment. (I repeat the same thing like a monkey. :-)
I am hoping to end this test today.

Please note that it is not a sufficient verification method.

DisableLastAccess = 2 (System Managed, Disabled) ⇒ Last Access Time updates are enabled.
The test volume F: is NTFS and the size is 149 GB.

Display properties of Dragonfly.jpg in Explorer.

f:id:hideakii:20181212180117p:plain

Check the latest time stamp with the fsutil command.

f:id:hideakii:20181212180214p:plain

Check the time stamp recorded on the disk.

It is different from the result of fasutil. I was able to confirm that the old time stamp was saved. This value is the same as the timestamp of the property.

f:id:hideakii:20181212180344p:plain

Wait one hour.

Check the latest time stamp with the fsutil command. The timestamp has not changed.

f:id:hideakii:20181212185438p:plain

The time stamp on the disk also does not change.

f:id:hideakii:20181212185450p:plain

Display the properties of the file and update the timestamp.

f:id:hideakii:20181212185629p:plain

Check the latest time stamp with the fsutil command.

f:id:hideakii:20181212185640p:plain

Check the time stamp of the disk. The latest timestamp was recorded.

f:id:hideakii:20181212185700p:plain

Perhaps, this is what I wanted to test.
In the future, I would like to consider a better verification method.


The resolution of NTFS last access time is described as 1 hour.

File Times - Windows applications | Microsoft Docs

The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access.

<2018/12/16 Add>

I tested whether Last Access Time not recorded on disk is written by shutdown processing.

Last Access Time confirmed with the fsutil command has not yet been written to disk even after 1 hour.

f:id:hideakii:20181216124137p:plain

f:id:hideakii:20181216123651p:plain

Shut down the system and start it. (In this system, fast startup is enabled.)
The Last Access Time seems to have been written to the disk by the shutdown processing.

f:id:hideakii:20181216124524p:plain

I did not pay attention to the update date of the FILE record. However, it seems that it was not updated.

NTFS Last Access Time update by property display does not update Change Time. When Last Access Time is set in PowerShell, Change Time is updated.

f:id:hideakii:20181216133049p:plain

$(Get-Item f:\Butterfly.jpg).lastaccesstime=$(Get-Date "01/01/2000 00:00 am")
Change Time is updated.

f:id:hideakii:20181216133231p:plain

Display the properties of the file and update the Last Access Time.
Last Access Time is updated, but Change Time does not change.

f:id:hideakii:20181216133534p:plain

 

Verification environment: Windows 10 1803

Reference URL:

File Times - Windows applications | Microsoft Docs

 

dfir.ru

 

f:id:hideakii:20181212175819j:plain