The Master File Table (MFT)
While having had a recent unauthorized file access on a windows system, I had to learn a bit about the Windows file and data structure.
Taking below data into account, it's easy to find the information if looking at the fields:
Std Info Modification date
Std Info Access date
One might ask why not extending the display attributes in the windows explorer and get the same information?
True! This would in fact give the same information, BUT you would taint the first rule in forensic "not to change any information by your examination". This method still gives you that chance to look at the data and not change any timestamps. :-)
To acquire a $MFT copy, I used the "Forensic Get" from HBGary that can be downloaded here.
C:\>FGET.exe -extract c:\$Mft c:\Victims_Mft.bin
-= FGET v1.0 - Forensic Data Acquisition Utility - (c)HBGary, Inc 2010 =-
[+] Extracting File From Volume ...SUCCESS!
To dig into your $MFT table download the MFT Analayzer here.
analyzeMFT-V1-7-x86.exe -f C:\myMFT.bin -o MFTExport.csv
Will create you a csv file from your MFT-copy, to be used with excel.
|Record type||Filename #1||Std Info Creation Date||Std Info Modification date||Std Info Entry date||Std Info Entry date|
|Folder||/Users/Admin/AppData/Local/Microsoft/Windows/History||2012-03-29 16:44:24.849714||2012-03-29 16:45:23.490219||2012-03-29 16:45:23.490219||2012-03-29 16:45:23.490219|
|File||/Users/Admin/AppData/Local/Microsoft/Windows/History/test.file||2015-07-06 19:12:31.253366||2015-07-06 19:12:31.253366||2015-07-06 19:12:31.253366||2015-07-06 19:12:31.253366|