Forensics: What does “Entry Modified” mean in EnCase?

EnCase can display a variety of dates, including created, written, and accessed, one date which often causes confusion for computer forensics examiner is “Entry Modified”.

Entry Modified, in EnCase, refers to when the MFT entry for that file was last change. As the MFT entry contains a lot of information about the file, including, size, name, location on the disk, parent folder, creation date, etc, changing any one of these should also change the “Entry Modified” date. E.g renaming the file, moving the file (defragmenting – moving it on the disk, or moving it into a different folder), or increasing the file size.

Under normal circumstances any action that trips any of the other dates, created, accessed, or file modified (referred to as Last Written in EnCase), will also trip the Entry Modified date – this is  due to one of two reasons:

The action that tripped the date, e.g. renaming the file caused a change in the MFT so the Entry Modified date will be updated

Altering any of the file dates will, by definiiton, change the MFT Entry (as this is where the dates are stored). Therefore the MFT Entry is changed.


6 Responses to “Forensics: What does “Entry Modified” mean in EnCase?”

  1. Forensics: Why is there no “Entry Modified” Date? « Data - Where is it? Says:

    […] “Entry Modified” Date? Posted on April 10, 2009 by Rob EnCase can only show the entry modified date only exists for certain file systems, e.g NTFS, as not all file systems record this […]

  2. Forensics: What does “Last Written” mean in EnCase? « Data – Where is it? Says:

    […] cause confusion, for those starting out in computer forensics or a little rusty with EnCase, are “Entry Modified” and the “Last Written”. The Entry modified is covered in a different article, the […]

  3. Forensics: What is the $MFT? « Data – Where is it? Says:

    […] Date, Entry Modified Date, Accessed Date and Last Written Date, in the StandardInformation […]

    • Lanard Says:

      $MFT is windows Master File Table it stores metadata about the files on a system. The $MFT is located in the Winduws registry.

  4. ad Says:

    Would entry modified also capture when a file was deleted or would last accessed show this?

    • 585 Says:

      Deleted date is an awkward one, unless you have a deleted date from the INFO2 file (recycle bin) you can generally only infer a deletion date, i.e if was last accessed on Date X and it was known to be deleted on Date Y – it was deleted between X and Y.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: