Saturday, November 11, 2006

OMG! So says Chicken Little...

I got wind of a post over on the SecurityFocus Forensics list...yes, I still drop by there from time to time, don't hate me for that. Someone posted a couple of days ago about a Registry key in Vista, specifically, a value named "NtfsDisableLastAccessUpdate". Actually, the post was a link to/excerpt from the Filing Cabinet blog. The idea is that this entry allows the admin to optimize a Windows system, as if the setting is enabled (you can do it through fsutil on XP and 2003), then file last access times won't be updated when files are accessed, eliminating that "extra" disk I/O. This is really only an issue on high-volume file servers.

The SF post then ends with "In case this is of value in the forensics of Vista".

Well, not to put too fine a point on it, but "duh!" Even though NTFS last access times are known to have a granularity of about an hour, disabling the ability to track such things takes away one of the tools used by forensic investigators. And even though this functionality is enabled by default on Vista (I'm looking at RC1), it's just one tool. For example, Vista still tracks the user's access to programs via the shell in the UserAssist keys.

In my new book, I recommend checking this value during IR activities, and I also recommend that if forensic investigators find this functionality enabled, then check the LastWrite time on the Registry key to get the date that may correlate to when that change was made to the system. The change can be made through RegEdit or the fsutil application. The fsutil application is not a GUI that is accessed through the shell, so its use won't be tracked via the UserAssist key (although on XP, you may see a reference to fsutil.exe in the Prefetch folder). However, if the change is made, a reboot is required for the change to take effect, so the last access time on the fsutil.exe file (in the system32 directory) may give you an idea of when the change was made, and you may then be able to determine via other logs who made the modification.


Anonymous said...

Are you going to publish a new book?

Keydet89 said...

I'm working on it...due out in the spring.

Anonymous said...

Is it the second edition of "Windows Forensics and Incident Recovery" or a complete new one? I really enjoyed this one :)

Keydet89 said...

New publisher, new WFIR, but more technical, and with more stuff (code, files, detail, etc.)

Thanks for the comments about the book...whoever you are. ;-)

John said...

"And even though this functionality is enabled by default...".

I presume you mean that the registry entry has a 1 in it, meaning that the LastAccessUpdate is in fact disabled. It would take a user to turn it on which is very unlikely IMO.

FYI: The entry has a value of 1 in RTM.

Keydet89 said...


I presume you mean that the registry entry has a 1 in it, meaning that the LastAccessUpdate is in fact disabled

If you follow the link I provided in my blog post, you'll see what Microsoft says about a setting of 1 for that value. If the value is set to 1, NTFS does not update the last-access timestamp of a file when that file is opened.

Thanks for reading the blog and for commenting.