[unisog] Do Windows file access, file mod, file create timestamps lie?

[Brian Eckman]

John H. Sawyer wrote:
> I hate to respond to my own messages, but thought I should provide  
> links to backup my previous statements. The first is about how NTFS  
> works and tells why the last access time may be up to an hour off.  
> The second is a link to the registry that turns off last access times  
> to speed up the filesystem because the action of reading a file would  
> actually cause a write to the filesystem since it has to update the  
> timestamp. In Vista, the key is present and set to 1 to turn off  
> updates. If you've got any XP and Vista systems, compare them and  
> you'll see.
> 
> How NTFS Works
> http://technet2.microsoft.com/windowsserver/en/library/8cc5891d- 
> bf8e-4164-862d-dac5418c59481033.mspx
> 
> NtfsDisableLastAccessUpdate
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ 
> regentry/46656.mspx
> 
> I believe this is common knowledge amongst forensic people and may  
> have just not filtered out to the rest of the security folks out  
> there, but I'm not sure.
> 
> -jhs

John,

The URL you posted about the NtfsDisableLastAccessUpdate registry key 
states that it "determines whether NTFS updates the last-access 
timestamp on each directory when it lists the directories on an NTFS 
volume". As a forensic investigator, this sounds to me like a desired 
setting. In my opinion, viewing the contents of a directory is not 
"accessing" a file, and therefore should not be updating that timestamp.

The article does not state that this registry setting prevents the Last
Accessed timestamp from being updated when the file is opened. However,
it appears, at least in Windows Vista (and likely Server 2003), that it 
does prevent the timestamp from changing when the file is opened for 
viewing.

To verify this, I used my Windows Vista Enterprise system (with NTFS 
filesystem on all volumes). I opened a text file, then closed it, and 
checked the Last Accessed timestamp. It was sometime on July 9th. I 
modified that registry key (set it to 0), then did the same. It was 
still July 9th. I rebooted, and checked the Last Accessed timestamp 
before opening the file - it was still July 9th. I then opened and 
closed the file, and the timestamp was indeed updated to that second. I 
then opened and closed it again, and the timestamp remained the same as 
before - a few minutes earlier (which, as this thread has shown, is 
expected, as it was well less than an hour later).

Anyhow, I found a URL that more accurately explains the behavior of this 
registry setting, at least on Windows Vista and Server 2003 computers 
(and likely others). It's 
http://technet2.microsoft.com/windowsserver/en/library/80dc5066-7f13-4ac3-8da8-48ebd60b44471033.mspx

Thanks,
Brian
-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance