twjolson wrote:
That logs changes. But the original question asked about last access times. If a file was accessed, but not changed, why would it be in the $UsnJrnl file?
I didn't say that it would be...remember, I said these are possibilities. Given the nature of the original question, I was offering up a possibility, in case there was more than just an access to the file.
twjolson wrote:
To clarify my post a little. Computers are so 'busy', as you well know. Even if the poster found an executable what was launched at the same time, or near, the file in question, I would be hesitant to ever say that one caused the other. Windows has many, many processes going on, and you could never say that any particular one (with some caveats) accessed a particular file.
Agreed. Like I said, "possibilities".
twjolson wrote:
You could theorize, of course, but coming up with theories is easy (and kind of pointless in our profession).
Of course...if that is all that is done. However, there is considerable value in proving or disproving those theories in order to further your examination.
↧