In Section 7, answering questions on the “How to send a ransom note”, the date accessed (05-11-2019) in the Results viewer pane was different from the date accessed (2019-11-12) seen in the file Metadata in the Content Viewer pane. How is that possible and which one tells the real story? Again, what is the difference between the Changed Date and the Modified Date in the File Metadata?
You are confusing a result and a file.
A Web Search result item comes from the reading of a file, in this case the Google Chrome History database. In the Data Content viewer (the bottom right panel, with the search result selected in the top right panel), you can see the difference…
The Results tab shows the details of the particular entry in the History database. It shows the search occurred on 2019-11-05:
The File Metadata tab provided the date stamps for the History database itself, not the entries within the database. The file was last modified date on 2019-11-12:
This situation is consistent with a search for “how to make a ransom note” on 2019-11-05 and the Chrome browser continuing to be used beyond that date, through at least 2019-11-12.
NOTE: “through at least 2019-11-12” is based on the fact that not all changes are immediately written to the main database, but are instead stored in a sqlite-wal file until they are committed. I don’t recall if Autopsy reads this WAL file as part of the Recent Activity ingest module.
Great! Thanks for your contribution. I am now very clear