I recently discovered, that Microsoft destroyed a most valuable digital forensics evidence source on NTFS filesystems with Vista. The default registry key value for HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet \ Control\FileSystem\NtfsDisableLastAccessUpdate is now “1″, which means no last access timestamp will be written at all. On Windows XP and Windows 2000
geschonneck.com
This is the private security page of Alexander Geschonneck (Berlin, Germany).
WTF is Microsoft doing with the Last Access Timestamp on Vista?
«
20 November 2007 |
8:52 |
Forensics, Stories |
2 Comments | 1,512 Views
»
-
© 2003-2012 Alexander Geschonneck.
Feel free to contact
me for comments. - RT @fholzhauer: Honeypot spielt mit Scriptkiddie: http://t.co/4bcM51ws…
- Da hilft wohl ein MacOS Forensics Training. Ich hätte da einen Tipp. http://t.co/0UFzbTU3 #yam
- RT @0x41414141: Release of our Cisco Incident Response (CIR) tool as open source under GPLv3:...
- RT @markrussinovich: We're waking up: FBI Director says to Congress that cyberthreat surpassing physical terrorism threat...
- RT @sansforensics: Passware Contributes to Mac Forensics by Decrypting FileVault http://t.co/SEn1U3f3
