WTF is Microsoft doing with the Last Access Timestamp on Vista?
I recently discovered, that Microsoft destroyed a most valuable digital forensics evidence source on NTFS filesystems with Vista. The default registry key value for HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet \ Control\FileSystem\NtfsDisableLastAccessUpdate is now „1“, which means no last access timestamp will be written at all. On Windows XP and Windows 2000