[unisog] Do Windows file access, file mod, file create timestamps lie?
Wyman Miles
wm63 at cornell.edu
Wed Sep 19 11:17:46 GMT 2007
> On Sep 16, 2007, at 5:13 PM, Mike Lococo wrote:
>> What do you make of this line:
>>
>> "File-based queries of Last Access Time are accurate even if
>> all on-disk values are not current. NTFS returns the correct
>> value on queries because the accurate value is stored in memory.
>>
>> My reading of it (and my gut-instinct about how things _should_
>> work) is
>> that one should never see the stale last access times unless one is
>> somehow doing raw disk reads or is examining a filesystem that wasn't
>> unmounted cleanly.
>
> Sounds like the updated last access time is changed in in-memory disk
> buffers
> (cached) first and only written out to disk when a periodic NT
> version of a sync()
> ("dirty" disk buffers flushed --actually written-- out to disk) is
> done. Is this true?
Now you're on to it.
NTFS atimes get written do disk under one of two conditions, barring
registry settings to the contrary -- a) when they're sufficiently stale
(the 1 hour rule) or b) when the OS has some other justification to commit
changes to the MFT. Invariably, the latter means other metadata that
needs to be saved.
So, depending on the nature of disk activity, atimes can be spot on or
they can be off by quite a bit.
And this leads right into the debate about yank the power versus graceful
shutdown.
And this isn't just a Windows issue. Most OS will cache atime updates for
as long as is felt safe. The effect isn't as dramatic as NTFS, but it's
still there. And if you want a real shocker, mount an OSX volume
read-only, root around in it, and check the timestamps. Then umount/mount
it again and breathe easy.
>
> - H. Morrow Long, CISSP, CISM, CEH
> University Information Security Officer
> Director -- Information Security Office
> Yale University, ITS
>
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
Wyman Miles
Senior Security Engineer
Cornell University
More information about the unisog
mailing list