tag:blogger.com,1999:blog-5057815281194312844.post7277585141144188804..comments2023-06-26T11:24:51.659+01:00Comments on Forensics from the sausage factory: Gatherer Transaction Log Files - a Windows Search artefactDC1743http://www.blogger.com/profile/14186532367794900206noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-5057815281194312844.post-2826291607576138772013-06-28T16:10:05.431+01:002013-06-28T16:10:05.431+01:00I know it's well after the fact, but I looked ...I know it's well after the fact, but I looked these up on Win7, and they have an entirely different format now...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-85888091508826245582010-08-03T06:34:23.240+01:002010-08-03T06:34:23.240+01:00Thanks Harry,
Jim Gordon's MSc thesis was on ...Thanks Harry,<br /><br />Jim Gordon's MSc thesis was on Windows Desktop Search. He found that one of the tables within the Windows.edb file was entitled <i>SystemIndex_Gthr</i>. Jim identified four FILETIME stamps within each record in this table -<i>First Accessed, Last Accessed, Last Modified and Time MD5 changed</i>. I don't think he established conclusively a direct relationship between these timestamps and the timestamps within the Gatherer Transaction Log Files. <br /><br />He also established that in certain circumstances that the absence of certain timestamps indicated that a file had been deleted but concluded that a longer test regime was required. <br /><br />I have carried out some further testing aided by Jim's research but at this stage I can only commit to Timestamp 3 being the File Modified time (as recorded in the MFT) of the file at the time of indexing and where there is a full complement of Timestamps TS1 represents the time the file was sent for indexing.<br /><br />RichardDC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-45073672131287202942010-08-02T20:04:26.033+01:002010-08-02T20:04:26.033+01:00Rich
I don't know if you have looked at this ...Rich<br /><br />I don't know if you have looked at this but I was looking at a windows.edb file today and noticed a table with references in there to what must be the gthr files and this included some date fields.<br /><br />HHPnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-56717195530021928532010-07-21T05:45:00.549+01:002010-07-21T05:45:00.549+01:00Jim,
Thanks -that will be a good help and I'l...Jim,<br /><br />Thanks -that will be a good help and I'll update the blog post.<br /><br />RichardDC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-38129226171325606782010-07-20T22:29:25.119+01:002010-07-20T22:29:25.119+01:00Richard,
As you are aware John Douglas of QCC fam...Richard,<br /><br />As you are aware John Douglas of QCC fame together with myself covered the Windows indexing service for our dissertations at Cranfield. I think that I did more experimentation around the Gatherer Transaction Log file and managed to decode some further entries in addition to the one's that Barrie identified. I'll try and dig my Thesis out and email it to you. I think that identified the various FILETIME entries and what they relate to.<br /><br />Regards<br /><br />JimJim Gordonhttps://www.blogger.com/profile/05769447299537779948noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-51649176041430731032010-07-20T13:22:53.594+01:002010-07-20T13:22:53.594+01:00Have you tried graphing the different timestamps v...Have you tried graphing the different timestamps vs the separate filesystem timestamps? I wonder whether you'd see any overlays.Jon Stewarthttps://www.blogger.com/profile/00439761904910491653noreply@blogger.com