S 4.342 Activation of the Last Access time stamp under Windows Vista and higher

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator

The NTFS file system manages three time stamps in order to track changes to the file system. These time stamps are also referred to as MAC time stamps. The term "MAC Time" in Windows stands for the Modification, Access, and Creation Time of a file in the NTFS file system.

• The Modification Time (time of last modification) is the time of the last write access to a file. This time stamp is updated when the contents of the file are changed.
• The Last Access Time (time of last access) is the time of the last reading or execution of a file. This time stamp is updated when metadata or file contents are displayed. It does not matter in this case if the file is saved or changed in some other way. If the file is opened, called, or otherwise viewed, then this time stamp changes accordingly.
• The Creation Time (time of creation) is the time at which a file is created manually or by copying an existing file.

If it is necessary when investigating a security incident (see S 1.8 Handling of security incidents) to analyse a data medium formatted with NTFS, then analysing the MAC times can help you to find out which files were read, written to, executed, or changed during the period of the suspected misuse. This can then provide information on which configuration files and/or which system files have been changed, for example to install a back door in the system. In addition, it is possible to analyse the files changed during the supposed time of the attack and, under some circumstances, determine which method was used to break into the system. By generating timelines, it is possible to fairly accurately determine the time at which a file was copied in a system and subsequently viewed or called.

In Windows Vista, Windows 7 and Windows Server 2008, the automatic updating of the last access time stamp is disabled by default in the registry since enabling it can lead to losses in performance when the file system is structured unfavourably. When creating a security concept for such a system, it is necessary to determine if the last access time stamp should be enabled to facilitate the analysis of cases of misuse of the system. Performance aspects should also be considered during the evaluation. If there are other equally adequate procedures for analysing misuse, then it will not be necessary to enable this function.

To enable the last access time stamp, set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to the value "0".

Review questions:

• When creating the security concept for systems with Windows Vista, Windows 7 or Windows Server 2008, was it examined if it is possible to avoid using the last access time stamp?
• Were performance aspects of Windows Vista and Windows 7 also included in the evaluation while performing this examination?