This EnScript will display the (8) eight NTFS time-stamps associated with each tagged file/folder in EnCase. The EnScript looks specifically for the "review" tag and displays the four common time-stamps that are from the Standard Information Attribute (same ones EnCase shows in the table pane). In addition, the four time-stamps stored in the $FILENAME attribute are also displayed for comparison and to help determine if any time-stamp altering tools may have been used.

This EnScript will print out the four (Created, Accessed, Written, Entry Modified) date fields in the Filename Atttribute along with those in the Standard Information Attribute for the purpose of comparing them as an indication that a time-altering tool may have been used.

This EnScript processes any file that is tagged with the "Review" tag and prints the information in the Console tab:

nacl64.exe
Standard Info Attribute Filename Attribute
11/05/12 05:20:20PM 11/05/12 06:20:20PM
10/24/12 12:04:51AM 11/05/12 06:20:20PM
11/05/12 05:20:20PM 11/05/12 06:20:20PM
11/05/12 05:20:20PM 11/05/12 06:20:20PM