[unisog] Do Windows file access, file mod, file create timestamps lie?

John H. Sawyer jsawyer at ufl.edu
Sun Sep 16 02:52:26 GMT 2007 

I hate to respond to my own messages, but thought I should provide  
links to backup my previous statements. The first is about how NTFS  
works and tells why the last access time may be up to an hour off.  
The second is a link to the registry that turns off last access times  
to speed up the filesystem because the action of reading a file would  
actually cause a write to the filesystem since it has to update the  
timestamp. In Vista, the key is present and set to 1 to turn off  
updates. If you've got any XP and Vista systems, compare them and  
you'll see.

How NTFS Works
http://technet2.microsoft.com/windowsserver/en/library/8cc5891d- 
bf8e-4164-862d-dac5418c59481033.mspx

NtfsDisableLastAccessUpdate
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ 
regentry/46656.mspx

I believe this is common knowledge amongst forensic people and may  
have just not filtered out to the rest of the security folks out  
there, but I'm not sure.

-jhs


On Sep 14, 2007, at 8:48 PM, John H. Sawyer wrote:

> Assuming that you're dealing strictly with NTFS, the last access time
> resolution is 1 hour meaning that it may not be updated for up to one
> hour after the access has occurred. In Vista, the last access time is
> disabled through a registry key to speed up filesystem performance.
>
> -jhs
> --
> John H. Sawyer
> IT Senior Security Engineer
> University of Florida - IT Security Team
> 352.392.2061 - jsawyer at ufl.edu - infosec.ufl.edu
>
>
>
> On Sep 14, 2007, at 6:14 PM, marchany at vt.edu wrote:
>
>> One of the guys in my group tried to post to the list but got a
>> failure.
>> Apologies if this is a duplicate. It's a question that's bothering
>> us and
>> we're trying to see how this impacts us in a forensic investigation.
>>
>> --------------------------------From Brad Tilley-------------------
>>
>> In an effort to monitor access to files that might contain sensitive
>> data, we've been experimenting with Windows timestamps. We have found
>> that timestamps do not change when the files are viewed, printed or
>> copied (basic file reads). We wrote some scripts to monitor the
>> timestamps while various read access was occurring. Below are the
>> results... perhaps we're way off base here and there is a simple
>> explanation for this, but if timestamps on Windows are really as
>> indifferent as they seem to be to reads, we're wondering how or if we
>> can rely on them. Any input or feedback is welcome... Brad
>>
>> Please note the win32file.GetFileAttributesEx() function is four  
>> hours
>> (19:00) ahead while the python os.stat() function has the correct
>> (15:00) time.
>>
>> ---------------------------------------
>>
>>   Created a zero byte text file named 'wup.txt' 09/14/07 15:09:39
>>
>>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>>   09/14/07 15:09:39 Create
>>   09/14/07 15:09:39 Modify
>>   09/14/07 15:09:39 Access
>>   0 Bytes
>>
>>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
>> <PyTime:9/14/2007 7:09:39 PM, 0)
>>   09/14/07 19:09:39 win32 Create
>>   09/14/07 19:09:39 win32 Modify
>>   09/14/07 19:09:39 win32 Access
>>   0 Bytes
>>
>>   ------------------------------------------
>>
>>   Opened 'wup.txt' in Notepad, viewed it, then closed 09/14/07
>> 15:14:38
>>
>>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>>   09/14/07 15:09:39 Create
>>   09/14/07 15:09:39 Modify
>>   09/14/07 15:09:39 Access
>>   0 Bytes
>>
>>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
>> <PyTime:9/14/2007 7:09:39 PM, 0)
>>   09/14/07 19:09:39 win32 Create
>>   09/14/07 19:09:39 win32 Modify
>>   09/14/07 19:09:39 win32 Access
>>   0 Bytes
>>
>>   ------------------------------------------
>>
>>   Opened 'wup.txt' in Wordpad, viewed it, then closed 09/14/07
>> 15:17:04
>>
>>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>>   09/14/07 15:09:39 Create
>>   09/14/07 15:09:39 Modify
>>   09/14/07 15:09:39 Access
>>   0 Bytes
>>
>>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
>> <PyTime:9/14/2007 7:09:39 PM, 0)
>>   09/14/07 19:09:39 win32 Create
>>   09/14/07 19:09:39 win32 Modify
>>   09/14/07 19:09:39 win32 Access
>>   0 Bytes
>>
>>   ------------------------------------------
>>
>>   I printed 'wup.txt' from Wordpad to a printer 09/14/07 15:20:09
>>
>>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>>   09/14/07 15:09:39 Create
>>   09/14/07 15:09:39 Modify
>>   09/14/07 15:09:39 Access
>>   0 Bytes
>>
>>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
>> <PyTime:9/14/2007 7:09:39 PM, 0)
>>   09/14/07 19:09:39 win32 Create
>>   09/14/07 19:09:39 win32 Modify
>>   09/14/07 19:09:39 win32 Access
>>   0 Bytes
>>
>>   ------------------------------------------
>>
>>   I copied 'wup.txt' to 'Copy of wup.txt' 09/14/07 15:24:07
>>
>>   (33206, 0L, 2, 1, 0, 0, 0L, 1189796979, 1189796979, 1189796979)
>>   09/14/07 15:09:39 Create
>>   09/14/07 15:09:39 Modify
>>   09/14/07 15:09:39 Access
>>   0 Bytes
>>
>>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:09:39 PM,
>> <PyTime:9/14/2007 7:09:39 PM, 0)
>>   09/14/07 19:09:39 win32 Create
>>   09/14/07 19:09:39 win32 Modify
>>   09/14/07 19:09:39 win32 Access
>>   0 Bytes
>>
>>   ------------------------------------------
>>
>>   I typed 'Brad' into the 'wup.txt' file 09/14/07 15:25:13
>>
>>   (33206, 0L, 2, 1, 0, 0, 4L, 1189797892, 1189797892, 1189796979)
>>   09/14/07 15:09:39 Create
>>   09/14/07 15:24:52 Modify
>>   09/14/07 15:24:52 Access
>>   4 Bytes
>>
>>   (32, <PyTime:9/14/2007 7:09:39 PM, <PyTime:9/14/2007 7:24:52 PM,
>> <PyTime:9/14/2007 7:24:52 PM, 4)
>>   09/14/07 19:09:39 win32 Create
>>   09/14/07 19:24:52 win32 Modify
>>   09/14/07 19:24:52 win32 Access
>>   4 Bytes
>>
>>   ------------------------------------------
>>
>> Randy Marchany (for Brad Tilley)
>> VA Tech IT Security Office.
>>
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>

More information about the unisog mailing list