[unisog] Do Windows file access, file mod, file create timestamps lie?
H. Morrow Long
morrow.long at yale.edu
Sun Sep 16 22:37:45 GMT 2007
On Sep 16, 2007, at 5:13 PM, Mike Lococo wrote:
> What do you make of this line:
>
> "File-based queries of Last Access Time are accurate even if
> all on-disk values are not current. NTFS returns the correct
> value on queries because the accurate value is stored in memory.
>
> My reading of it (and my gut-instinct about how things _should_
> work) is
> that one should never see the stale last access times unless one is
> somehow doing raw disk reads or is examining a filesystem that wasn't
> unmounted cleanly.
Sounds like the updated last access time is changed in in-memory disk
buffers
(cached) first and only written out to disk when a periodic NT
version of a sync()
("dirty" disk buffers flushed --actually written-- out to disk) is
done. Is this true?
- H. Morrow Long, CISSP, CISM, CEH
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070916/7f198f71/attachment.htm
More information about the unisog
mailing list