« WabiSabiLabi founder jailed
Microsoft’s wireless keyboards cracked »

WTF is Microsoft doing with the Last Access Timestamp on Vista?

I recently discovered, that Microsoft destroyed a most valuable digital forensics evidence source on NTFS filesystems with Vista. The default registry key value for HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet \ Control\FileSystem\NtfsDisableLastAccessUpdate is now “1″, which means no last access timestamp will be written at all. On Windows XP and Windows 2000 the key was “0″ on default. Microsoft ddeid it likely for performance reasons and made the investigators instantly half blind with this silly decision. Well, now the computer forensics tool vendors have to digg deeper into NTFS TxF . Me too.

Registry Screenshot Vista LastAccessUpdate

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Live
  • StumbleUpon
  • Technorati
  • YahooMyWeb

Tuesday, 20 Nov 2007 08:52 (Updated: Thursday, 22 Nov 2007 18:20). 1,224 Views. Filed under Forensics, Stories. Subscribe to RSS 2.0. Leave a comment or trackback.
 Tags: .

2 Responses to “WTF is Microsoft doing with the Last Access Timestamp on Vista?”

  1. Techy News » WTF is Microsoft doing with the Last Access Timestamp on Vista?
    November 20th, 2007 at 13:53

    [...] Read the rest of this great post here [...]

  2. Withlarge.Com » WTF is Microsoft doing with the Last Access Timestamp on Vista?
    November 21st, 2007 at 07:36

    [...] wrote an interesting post today on WTF is Microsoft doing with the Last Access Timestamp on Vista?Here’s a quick [...]

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

TLA | Linklift | Teliad