WTF is Microsoft doing with the Last Access Timestamp on Vista?

I recently discovered, that Microsoft destroyed a most valuable digital forensics evidence source on NTFS filesystems with Vista. The default registry key value for HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet \ Control\FileSystem\NtfsDisableLastAccessUpdate is now “1”, which means no last access timestamp will be written at all. On Windows XP and Windows 2000 the key was “0” on default. Microsoft ddeid it likely for performance reasons and made the investigators instantly half blind with this silly decision. Well, now the computer forensics tool vendors have to digg deeper into NTFS TxF . Me too.

Registry Screenshot Vista LastAccessUpdate

2 thoughts on “WTF is Microsoft doing with the Last Access Timestamp on Vista?”

Comments are closed.