Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Summary:
- I used FTK Imager and Autopsy as a tool to check Last Access Time on NTFS volume. However, adding Local Drive did not produce the expected results.
(I lost a lot of time with this repetition.) - Using "PHYSICALDRIVE", expected results were obtained.
- I recommend you to check with PHYSICALDRIVE in the Last Access Time test.
---
I continue to test last access time on the Win 10 1803 environment.
Please note that it is not a sufficient verification method.
DisableLastAccess = 2 (System Managed, Disabled) ⇒ Last Access Time updates are enabled.
The test volume F: is NTFS and the size is 149 GB.
Check the latest time stamp with the fsutil command.
Display properties of Dragonfly.jpg in Explorer. Last Access Time has been updated by this operation.(Close the property and close Explorer.)
Check the latest time stamp with the fsutil command.
Refer to Physicaldrive 2 and check the time stamp. An old timestamp on the disk was displayed.
Add Local Drive F: and check the time stamp. Interestingly, adding Local Drive F: will update the latest timestamp. (This also happens with Autopsy.)
When accessing the logical drive, flash the latest information to the disk?
I recommend you to check with PHYSICALDRIVE in the Last Access Time test.
Because I was referring to F: in the test, I lost a lot of time.
Verification environment: Windows 10 1803
Reference URL:
@port139 @HECFBlog
— Maxim Suhanov (@errno_fail) December 11, 2018
So, the NTFS driver keeps two last access timestamps in memory (for each file): the real one and the shadow one. The real one corresponds to the timestamp on a disk (in the $SI attribute). The shadow one has no corresponding timestamp on a disk. 1/6 #DFIR
