Microsoft exchanged speed for forensic readiness ?

With the new OS from Microsoft called Vista, many businesses will be surprised to hear that in this new OS access times on the filesystem will be disabled by default.

Why Microsoft did this is not clear to me, maybe to gain some extra speed on the filesystem? The filesystem used by Vista is NTFS, and with NTFS files have three times, called MAC times. Modified, last Accessed and Created. The accessed time is usually updated everytime the file is opened or accessed by the OS. In the current release of Vista this is turned off by default.

It is however a registry setting, so to improve forensic readiness businesses can alter 1 registry key when they rollout Vista to enable accessed times again. The registry key can be found on


The key is a reg_dword, and a value of 1 means no last accessed time updates, and a value of 0 means last accessed times will be updated.