Anti-Forensics

Requirements

Administrator account

Windows XP

Command Summary

1. Login as Administrator
2. Open a command prompt
3. Enter the command: fsutil behavior set disablelastaccess 1
4. Restart computer

Purpose

I’ll come right out and say that this is definitely not a strong anti-forensic technique but it can be helpful. Most forensic examiners already know they can’t rely heavily on lastaccess timestamps. One major reason is that anti-malware and anti-virus software updates the lastaccess time on files as it examines them.

Windows Vista has disabled lastaccess times by default. This may make it a little harder for a forensics examiner to figure out what exactly was being accessed during specific times. Windows XP, as you know, does in fact update the lastaccess timestamp when a file is accessed on a volume that is writable.

To get an idea of how this timestamp works, create a text file on your desktop. Right-click it and view file properties.

Now, check out the Accessed timestamp, close the file and re-open it. Then right-click the file and view properties again to see that the Accessed (LastAccess) timestamp has been updated.

So how do you stop Windows XP from updating the LastAccess timestamp on all files?

At a command prompt type:

fsutil behavior set disablelastaccess 1

You must then restart your computer for the changes to take effect. All newly created files will retain a lastaccess timestamp that equals the file creation timestamp. All previous files will retain the lastaccess timestamp that they had previously.

There are some potential side-effects to doing this. Such as backup software that relies on the lastaccess date and time of a file may not work properly. Also, since this option is not set by default in Windows XP it could raise questions as to why you disabled the lastaccess timestamp (if the examiner even realizes this).

The Fsutil command is used to perform tasks related to FAT and NTFS file systems and is a very powerful command.