Recently, I realized that some files don't have Entry Modified Time in EnCase when I was examining Windows 7 image.
In this example, highlighted jquery[1].js is located in "Temporary Internet Files" Folder. It's unusual and I looked over the corresponding MFT Entry(Record) in Hex view.
It's true that MFT Entry Modified timestamp in $SIA indicates improper value, "04 01 00 00 6D 00 00 00". The rest of timestamps including $FNA are valid. In this example, these are "38 79 7E BF 0E E7 CB 01" or "0A 78 1D C0 0E E7 CB 01", indicate "2011/03/20 23:54:43" or "2011/03/20 23:54:44" respectively.
Windows Security EventLog is based on Audit Policy of Security Policy. There are 9 categories in Windows XP/2003. Since Vista, on the other hand, there are over 50 categories.
Default audit policy is disabled at XP, but is enabled with some categories at 7/Vista. Auditpol(audituser) or Local Security Policy shows these condition when target is online, but if offline, we need to read and analyze Registry(HKLM\Security\Policy\PolAdtEv).
Below is the sample screenshot of PolAdtEv value of Windows 7.
Following is the information about PolAdtEv in Windows NT 4.0
Convert hex of Windows FILETIME into human readable view. Input hex type of data at little endian, push "conv" button, then display a converted date/time in 100 nano seconds.
This page is designed that you copy a value in EnCase Hex View and paste to input form in this page.
Space characters are allowed in input data, but do not prepend "0x".
Default Input/Output value is 0 of Unix timestamp (i.e. 1970/01/01 00:00:00)
