Forensics: What does “Last Written” mean in EnCase?

EnCase ,one of the most popular forensic tools, can display a variety of dates, including created, written, and accessed.

The two dates which most often cause confusion, for those starting out in computer forensics or a little rusty with EnCase, are “Entry Modified” and the “Last Written”. The Entry modified is covered in a different article, the Last Written date is covered below.

A video showing the recovery of dates from within the MFT is available here

What does the“Last Written” data mean in EnCase

The last written date field in EnCase indicates the date the file was last modified. This should not be confused with the access date, which is when the file was last opened, or the Entry Modified date – which is when the MFT for the file is modified.

The Last Written date is the same as the “Date Modified”  shown in Windows explorer. The two screen shots below show the same file; one seen through EnCase the other through Windows Explorer

Date Modified: Shown in Windows Explorer

Date Modified: Shown in Windows Explorer

Last Written Date: Shown in EnCase

Last Written Date: Shown in EnCase

Advertisements

4 Responses to “Forensics: What does “Last Written” mean in EnCase?”

  1. Forensics: What is the $MFT? « Data – Where is it? Says:

    […] Date, Entry Modified Date, Accessed Date and Last Written Date, in the StandardInformation […]

  2. suma Says:

    what if entry modified date differs from last access date?

  3. suma Says:

    what inference one can draw if the MFT entry modified date differs from last access date?

  4. suma Says:

    can anybody alter MFT entry modified date and how?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: