File System Operations (Timestamps) - Foren-Ken/tech-journal GitHub Wiki
Why are MAC Timestamps important?
MAC Timestamps stands for Modified, Accessed, and Created timestamps.
MAC Timestamps can provide investigators the ability to create a timeline and see if certain events, such as downloading and modifying files, were done along side other events to understand how an incident may have occurred.
| Operation | MAC Modification |
|---|---|
| Copying a file | Updates Create and Accessed timestamps. |
| Moving a file | No update unless file is moved to new volume. If moved to another volume, Create and Accessed timestamps are modified. |
| Modifying a file | Updates Modification timestamp. |
| Accessing a file | Depends on the configuration. Non-NTFS volume will update Accessed timestamp immediately. NTFS volumes will either not update or wait a certain time to update the Accessed timestamp. |
$STANDARD_INFORMATION
This information is the source of the MAC timestamp information shown in properties. This will mirror the output of the commands:
dir /TW [directory] - Modified Timestamps
dir /TA [directory] - Accessed Timestamps
dir /TC [directory] - Created Timestamps
$FILENAME
Unlike $Standard_Information which stories MAC information when copied over from other drives, $FILENAME acts as if the file is completely new when entering the system. This makes it so it acts as if it were created on the system, resting the MAC timestamps. The reset also happens when the file is moved around within the volume.
Credit: SANS