When Windows Vista was announced, a few of the new features (most notably the User Account Control (UAC) and BitLocker Drive Encryption) sparked great interest in the security and forensics community.  As these features have slowly become documented and better understood, the intricacies and less publicized changes in the newest Microsoft OS are being more closely examined.

One such change, which was included to increase Vista's performance, is a change in the NtfsDisableLastAccessUpdate registry key value.  This value is now set to a 1 (true) instead of a 0 (false) by default, which means that the "last accessed" timestamps of files and folders will no longer be updated in Windows Vista.  While some might see this as a major evidentiary sacrifice for a minor boost in performance, it's really not; computer forensics experts already know that MAC times, and more specifically, access times, should never be taken at face value.

Aside from the ability to be changed intentionally by the user (by readily-available programs like Metasploit's Timestomp), MAC times can be inadvertently changed when files are accessed by automated programs like backup software, thumbnail creators, and virus scanners, and mass-altered when files are copied or moved.  Access times are also only guaranteed by Microsoft to be accurate to within one hour of the time of access, and in cases where chronological precision is key, a timestamp of this granularity might lead an investigator to adopt a false conclusion.  And lastly, disabling the last access time is not a new concept; the ability to stop Windows from updating this timestamp is available whenever one uses NTFS (NT/2000/XP/2003/Vista), and has been long-reported by the "OS tweaking" web sites out there as a performance booster.  Running into computers with this tweak enabled is nothing new, as users looking for performance gains have been using it for years on multiple operating systems.

While MAC times are useful when corroborated with other evidence (registry entries, .lnk files, MRU lists, file metadata, etc.), many computer forensics experts already know to be extremely wary of file system timestamp information.  Let's have Microsoft's decision to turn off the "A" in "MAC times" serve as a reminder that these timestamps should be used only as a starting point in investigations; they are not the only piece of evidence we rely on for temporal analysis, and they should not be treated as such.