Note:I translated Japanese into English using Google Translate.
Thank you, Google.
- NTFS's Last Access Time resolution is one hour. ( I started the test on Win 10 ver 1803.)
- "fsutil file layout" command and PowerShell displays the latest timestamp.
- Displaying properties in Explorer may display old timestamps.(It is not sufficient verification.)
- @errno_fail comments on the timestamp in memory. Thank you!
The resolution of NTFS last access time is described as 1 hour.
The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access.
Confirm Last Access Time update on Win 10 ver 1803. (DisableLastAccess = 2 (System Managed, Disabled))
Please note that it is not a sufficient verification method.
Check the time stamp of the sample image file with the fsutil command.
2018/12/09 11:27:05 UTC
Display properties in Windows Explorer. You can check the same timestamp as fsutil command. (The time zone of the verification environment is set to UTC.)
Again, display the time stamp with the fsutil command.
Display properties in Windows Explorer.
Oh? , Explorer displays a different Last Access Time than the FILE record.
I closed Windows Explorer and confirmed it again, but it was the same timestamp. 2018/12/10 10:01:46 UTC
Why does Explorer display old time stamp(Last Access Time)?
I tested it again. Check the timestamp in the property.
Check the time stamp with the fsutil command.
Double check, I confirmed timestamp with FTK Imager
I confirmed the timestamp of $I30. I confirmed the same time stamp as FTK Imager.
2018/12/10 11:11:56.6756334 UTC
Is the fsutil command displaying the latest information and it is different from the value on the disk?
When I checked the property again, I noticed that the time stamp was updated.
The Last Access Time has also been updated in the display of FTK Imager.
It is unknown which access the Last Access Time was updated.
I need to do further verification.
Last Access Time Verification of resolution is a bit difficult. ;-)
Thank you for your comment.
@port139 @HECFBlog— Maxim Suhanov (@errno_fail) December 11, 2018
So, the NTFS driver keeps two last access timestamps in memory (for each file): the real one and the shadow one. The real one corresponds to the timestamp on a disk (in the $SI attribute). The shadow one has no corresponding timestamp on a disk. 1/6 #DFIR
I confirmed the Last Access Time in PowerShell. PowerShell displays the latest timestamp.
I checked the Last Access Time with PowerShell and the Last Access Time was not updated.
Verification environment: Windows 10 1803