 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows 98 / Disks / File System / May 2004last access
will right clicking a file and deleting a file be recorded as a last access >will right clicking a file and deleting a file be recorded >as a last access Since the access times are recorded in the file's directory entry, and deleting the file destroys its directory entry, then if the file is deleted, there's no place to record a "last access".  SignatureTim Slattery MS MVP(DTS) Slattery_T@bls.gov I received a forensic expert's report claiming that he can determine that some deleted files were last accessed on a particular date. The computer runs win 98. >-----Original Message----- > [quoted text clipped - 4 lines] >deleting the file destroys its directory entry, then if the file is >deleted, there's no place to record a "last access". > I received a forensic expert's report claiming that he can > determine that some deleted files were last accessed on a > particular date. The computer runs win 98. When a file is deleted in FAT/FAT32: - Clusters are marked free in the FAT - The first character of the filename in directory entry is replaced by E5h. The rest of the directory entry remains until it's overwritten, including all info; attributes, start cluster, size and creation, modified and last access date. The date of the deletion itself isn't recorded anywhere. If the file was deleted in Windows while the recycle bin wasn't emptied, then the deletion date can be retrieved by accessing the recylcle bin. -- Joep |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.