Sunday, June 30, 2019

Enable "Last Access" Time Updates

If you have been in the computer forensics field since the Windows XP days and before, then you probably already know that Windows had/has the ability to record a timestamp for all files and folders of when a user "last accessed" and opened for reading or writing.

For resource and performance improvements, in the NTFS filesystem, from Windows Vista to present the last access times for files and folders are not updated.

In one of his recent books, Investigating Windows Systems, Harlan Carvey mentions that:

"The version of Windows can impact our analysis...When files were accessed on Windows XP, the file system last accessed time was updated.  However, as of Windows Vista, this functionality was disabled by default, via a Registry value.
The value is named NtfsDisableLastAccessUpdate, and is found beneath the
HKLM\System\CurrentControlSet\Control\FileSystem key."

In his book, Mr. Carvey, goes into detailed reasons for the importance of timestamps and timelines in intrusion cases.  And following the above he mentions a real life story in his book how the last access time stamp was was helpful in leading him to find a malicious DLL that was loaded via search order hijacking based off last access times.

I just recently finished reading, Investigating Windows Systems, and do recommend it for those in the field of incident response.  Especially for sharpening the discipline that is walked through in the analysis process and in looking for key findings in the Windows environments.  It makes for a great read.


Link to Amazon

Carvey, H. (2018). Investigating Windows Systems. London: Academic Press, an imprint of Elsevier.


*Looking at some documentation, it was noted that the default key value for the NtfsDisableLastAccessUpdate key was updated in Windows 10 April 1803 edition to read
=dword:80000000 .  And in later versions can show as ending in 2 or 3, instead of just all zeros.

Taken from the Forensixchange blog:

"The NtfsDisableLastAccessUpdate registry key can be on the default value which is: dword:80000003. This value means: System Managed, the “Last Access” updates are disabled."

Below are 2 methods to change the value.
*NOTE enabling the registry key value may effect performance for read/writes on HD and SSD drives

1.  Using the Windows Registry Editor, Regedit, to change the below value.

This value is the default to disable the Last Access times.
Can end in "3" which is also default disabled.

Changing the value to read a "1" at the end will enable Last Access update times for NTFS.

Enabled by changing last digit to "1"


2.  Another method via an elevated admin command prompt

This disables the disable, then must reboot for changes to take place

Lastly, if the policy to update LastAccess times is in place:
A neat powershell command can be had to recursively list the file names and sort on last access times

gci -recurse . | select name,lastaccesstime,psparentpath |sort lastaccesstime
 *This can be ran from a target directory and outed to a text file to sort and see recently accessed items

These are sample malwares that I had on a test VM.  But this method can help to assist in getting sense of a timeline for last access.


No comments:

Post a Comment