A friend of mine she asked me how to check all timestamps of a file on an NTFS volume. She did not have EnCase or FTK in hand. So I gave her FTK Imager and showed her the creation time, access time and modified time of a file. All she need to do is to take a look at properties of file.
Where is the entry modified time(or record date)? Here you are. Don't forget the timestamps in FTK Imager is UTC, not local time!!!
Second I showed her another option - Winhex. Check Options->Directory Browser to make sure all four timestamps will show up in file lists. Now she could see all four timestamps in local time format in file lists.
浙公网安备 33010602011771号