[sleuthkit-users] Definition of “Modified Time” “Change Time” “Access Time” “Created Time”
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Definition of “Modified Time” “Change Time” “Access Time” “Created Time”
|
From: Hervé Le G. <hl...@fr...> - 2014-03-04 18:24:17
|
Hi, Autopsy gives four timestamps for each event name it has identified: “Modified Time”“Change Time”“Access Time”“Created Time” I would have thought that when doing an investigation that focuses on “what happened at that particular time”, the most significant Timestamp had to be the “Access Time” but I’m getting a bit confused now that I see, for a particular time segment that happens to be the one I’m interested in, a relatively small number of not-so-relevant events, when considering their “Access Time”, and also considering their “Modified Time” timestamps, while there’s an extremely large number of relevant events for the same time segment, seen from their “Change Time” timestamps. Could one kind soul please give the precise definition of these four timestamps, in the Autopsy 3.0.9 context, of course. I took a look first at the Autopsy tutorials I could find on line before asking the list, but couldn’t find this information, apologies if I didn’t spot it. Many thanks in advance, Herve --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com |
