Forensics: What does “Last Written” mean in EnCase?

EnCase ,one of the most popular forensic tools, can display a variety of dates, including created, written, and accessed.

The two dates which most often cause confusion, for those starting out in computer forensics or a little rusty with EnCase, are “Entry Modified” and the “Last Written”. The Entry modified is covered in a different article, the Last Written date is covered below.

A video showing the recovery of dates from within the MFT is available here

What does the“Last Written” data mean in EnCase

The last written date field in EnCase indicates the date the file was last modified. This should not be confused with the access date, which is when the file was last opened, or the Entry Modified date – which is when the MFT for the file is modified.

The Last Written date is the same as the “Date Modified”  shown in Windows explorer. The two screen shots below show the same file; one seen through EnCase the other through Windows Explorer

Date Modified: Shown in Windows Explorer

Date Modified: Shown in Windows Explorer

Last Written Date: Shown in EnCase

Last Written Date: Shown in EnCase

Advertisements

Forensics: Why is there no “Entry Modified” Date?

EnCase can only show the entry modified date if it exists, and it only exists  for certain file systems, e.g NTFS.

FAT, for example, does not record this information.

If the Entry Modified data cannot be seen in EnCase, during a forensic examination, this is probably because it is a file system that does not support that date.

Forensics: What does “Entry Modified” mean in EnCase?

EnCase can display a variety of dates, including created, written, and accessed, one date which often causes confusion for computer forensics examiner is “Entry Modified”.

Entry Modified, in EnCase, refers to when the MFT entry for that file was last change. As the MFT entry contains a lot of information about the file, including, size, name, location on the disk, parent folder, creation date, etc, changing any one of these should also change the “Entry Modified” date. E.g renaming the file, moving the file (defragmenting – moving it on the disk, or moving it into a different folder), or increasing the file size.

Under normal circumstances any action that trips any of the other dates, created, accessed, or file modified (referred to as Last Written in EnCase), will also trip the Entry Modified date – this is  due to one of two reasons:

The action that tripped the date, e.g. renaming the file caused a change in the MFT so the Entry Modified date will be updated

Altering any of the file dates will, by definiiton, change the MFT Entry (as this is where the dates are stored). Therefore the MFT Entry is changed.