The two dates which most often cause confusion, for those starting out in computer forensics or a little rusty with EnCase, are “Entry Modified” and the “Last Written”. The Entry modified is covered in a different article, the Last Written date is covered below.
A video showing the recovery of dates from within the MFT is available here
What does the“Last Written” data mean in EnCase
The last written date field in EnCase indicates the date the file was last modified. This should not be confused with the access date, which is when the file was last opened, or the Entry Modified date – which is when the MFT for the file is modified.
The Last Written date is the same as the “Date Modified” shown in Windows explorer. The two screen shots below show the same file; one seen through EnCase the other through Windows Explorer