Hello, Here's the situation: I went on vacation for a couple of weeks, but before I left, I took the harddrive out of my computer and hid it in a different location. Upon coming back on Monday (January 10, 2011) and putting the harddrive back in my computer, I right-clicked on different files to see their properties. Interestingly enough, several files had been accessed during the time I was gone! I right-clicked different files in various locations on the harddrive, and all of these suspect files had been accessed within a certain time range (Sunday, ‎January ‎09, ‎2011, approximately ‏‎between 6:52:16 PM - 9:06:05 PM). Some of them had been accessed at the exact same time--down to the very second. This makes me think that someone must have done a search on my harddrive for certain types of files and then copied all those files to some other medium. The Windows 7 installation on this harddrive is password protected, but NOT encrypted, so they could have easily put the harddrive into an enclosure/toaster to access it from a different computer. Of course I did not right-click every single file on my computer, but did so in different folders. For instance, one of the folders I went through has different types of files: .mp3, ,prproj, .3gp, .mpg, .wmv, .xmp, .txt with file-sizes ranging from 2 KB to 29.7 MB (there is also a sub-folder in this folder which contains only .jpg files); however, of all these different types of files in this folder and its subfolder, all of them had been accessed (including the .jpg files from the sub-folder) EXCEPT the .mp3 files (if it makes any difference, the .mp3 files in this folder range in size from 187 KB to 4881 KB). Additionally, this sub-folder which contained only .jpg files (48 .jpg files to be exact) was not accessed during this time--only the .jpg files within it were accessed-- (between 6:57:03 PM - 6:57:08 PM). I thought that perhaps this was some kind of Windows glitch that was displaying the wrong access date, but then I looked at the "date created" and "date modified" for all of these files in question, and their created/modified dates and times were spot on correct. My first thought was that someone put the harddrive into an enclosure/toaster and viewed the files; but then I realized that this was impossible because several of the files had been accessed at the same exact time down to the second. So this made me think that the only other way the "date accessed" could have changed would have been if someone copied the files. Is there any chance at all whatsoever that this is some kind of Windows glitch or something, or is it a fact that someone was indeed accessing my files (and if someone was accessing my files, am I right about the files in question having been copied)? Is there any other possibility for what could have happened? Do I need to use any kinds of forensics tools to further investigate this matter (and if so, which tools), or is there any other way in which I can be certain of what took place in that timeframe the day before I got back? Or is what I see with Windows 7 good enough (i.e. accurate and truthful)? Thanks in advance, and please let me know if any other details are required on my part. P.S. The harddrive is NTFS.

Never mind. Someone else already answered this for me: "I use last accessed-created date time stamps all the time when troubleshooting-investigating software installs, its been very accurate in my uses of it in NTFS file systems. Since some of the dates are while you were gone, I assume it was several days to a week, I would say someone did access those files. These timestamps along with other data are used by computer forensics teams to reconstruct what a user did on a computer. Experienced Hackers use software to alter these time stamps to cover their tracks when breaking into computer systems." http://superuser.com/questions/232143/windows-7-file-properties-is-date-accessed-always-100-accurate/232320#232320 Additionally, I just now found out what happened. Someone else found the harddrive and thought it was theirs (since it was identical to one they had been missing), so they put it in their computer and scanned it with an anti-virus software. They realized it wasn't theirs and then put it back in the place I had hidden it. In my original question, I stated a possible theory that someone may have copied the files, but I later realized that copying in itself doesn't affect the "date accessed" of the original/source file, but rather only the "date accessed" of the copy. Thanks to all those that may have read my question.

Hi, Thanks for sharing so valuable solution. It will be great helpful for other community members. If there is no further questions regarding this issue, we will close the thread. Regards, NikiPlease remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.