So – you’re working on creating a timeline for a new disk image and you’re finding that the subject accessed a large number of unrelated files in quick succession. Perhaps they were up to no good, but before utilizing this evidence to support any findings, let’s step back and think. When analyzing a timeline, if you find a number of files that were accessed in quick succession, you should immediately consider that some sort of program/process actually accessed the files and that they were probably not intentionally accessed by the subject. The usual suspects can include backup software, antivirus software, and any other software/malware that “scans” a filesystem. Of course, once you find the presence of one of these tools, you’re going to need to note it in your findings and if you would like to use accessed times in the timeline to build a case, you’re going to need to prove that the timeline was not affected by this tool. Some strategies to proving that your access times are relevant include:
- Analyzing and including the AV scan log (if available on your image) that shows that an “on-demand” scan was not running during the time in question.
- Analyzing and including a backup log (if available) that shows a backup was not running during the time in question.
- Performing and documenting searches for other automated tasks/processes that may affect the accessed time in the timeline.
It’s interesting to note that most likely due to the proliferation of “scanning tools” and thus the reduction of relevance that an access time can have in an investigation, Microsoft has decided that by default, in Windows Vista and Windows 7, that the OS does not modify the last accessed time when a file is accessed (this behavior can be modified via GPO and/or the local registry).
My personal reccomendation is that unless you have a very specific reason to use the access time to support your findings, given the active use of tools that automatically access/scan files, you may find that your results are more clear and less challengable if you do not base investigative findings on this timestamp.