Did you know that by putting your computer into "hibernation" mode you are essentially creating a snapshot of the contents of your computers RAM? Learn the risks of using Windows Hibernation mode and how to disable the hiberfil.sys on a Windows system. Learn this anti-forensics technique and more.
Read More
setupapi.log log file
This article covers the USBSTOR registry key and the setupapi.log file and methods to delete them. These two artifacts can contain data regarding USB devices that have been plugged into a system. There are other things you should be aware of as well which are covered in the article. Sometimes just deleting a registry key or file is not enough.
Read MoreRequirements
- Administrator account
- Windows XP
Command Summary
- Login as Administrator
- Open a command prompt
- Enter the command:
fsutil behavior set disablelastaccess 1- Restart computer
Purpose
I’ll come right out and say that this is definitely not a strong anti-forensic technique but it can be helpful. Most forensic examiners already know they can’t rely heavily on lastaccess timestamps. One major reason is that anti-malware and anti-virus software updates the lastaccess time on files as it examines them.
Windows Vista has disabled lastaccess times by default. This may make it a little harder for a forensics examiner to figure out what exactly was being accessed during specific times. Windows XP, as you know, does in fact update the lastaccess timestamp when a file is accessed on a volume that is writable.
To get an idea of how this timestamp works, create a text file on your desktop. Right-click it and view file properties.
Now, check out the Accessed timestamp, close the file and re-open it. Then right-click the file and view properties again to see that the Accessed (LastAccess) timestamp has been updated.
So how do you stop Windows XP from updating the LastAccess timestamp on all files?
At a command prompt type:
fsutil behavior set disablelastaccess 1
You must then restart your computer for the changes to take effect. All newly created files will retain a lastaccess timestamp that equals the file creation timestamp. All previous files will retain the lastaccess timestamp that they had previously.
There are some potential side-effects to doing this. Such as backup software that relies on the lastaccess date and time of a file may not work properly. Also, since this option is not set by default in Windows XP it could raise questions as to why you disabled the lastaccess timestamp (if the examiner even realizes this).
The Fsutil command is used to perform tasks related to FAT and NTFS file systems and is a very powerful command.