File Operations - BenWare-FED/FOR230 GitHub Wiki

$MFT: Master File Table. A file that contains a list of files in the computers NTFS. Each file has information stored in different fields.

• $Standard_Information:Holds the creation, modification and access time stamps. Works at the user level. $File_Name stores the same information but works at the kernel level.

If the modification date is older than the creation data, that most likely means that the file is a copy. Copying a file will change the create and access date but the modified date will remain the same since the content did not change.

Moving a file with a drive(C:, D:) the creation, modified, and access date will remain the same. If the file is moved out of the drive that it is currently in, the creation and access date will change.

Modifying a file does not change the access date but does change the modified date. Access date is updated every hour.

Entry Modified: Changes when a file is created, modified, access, copied, moved or renamed. Everything changes the Entry Modified time stamp.