Difference between revisions of "MAC times"

From ForensicsWiki
Jump to: navigation, search
m
Line 1: Line 1:
 
'''MAC times''' are timestamps of the latest ''modification'', ''access'' or ''change'' of a certain file.
 
'''MAC times''' are timestamps of the latest ''modification'', ''access'' or ''change'' of a certain file.
  
With Windows Vista, the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' is set to '1' by default, which means that no last access timestamp will be written at all.
+
== Disabling Last Access Time Stamp ==
 +
 
 +
=== [[Windows]] ===
 +
 
 +
Set the registry key ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate'' to ''1''.
 +
 
 +
This setting is default under [[Windows]] Vista.
 +
 
 +
=== [[Linux]] ===
 +
 
 +
Mount [[file system]] with ''noatime'' option.
  
 
== Example ==
 
== Example ==
 +
 +
== See Also ==
 +
 +
* [[Timestomp]]
  
 
== External Links ==
 
== External Links ==
Line 9: Line 23:
 
* [http://en.wikipedia.org/wiki/MAC_times Wikipedia: MAC times]
 
* [http://en.wikipedia.org/wiki/MAC_times Wikipedia: MAC times]
 
* [http://www.winguides.com/registry/display.php/50/ Disable the NTFS Last Access Time Stamp]
 
* [http://www.winguides.com/registry/display.php/50/ Disable the NTFS Last Access Time Stamp]
 +
* [http://support.microsoft.com/kb/299648 Microsoft KB 299648: Description of NTFS date and time stamps for files and folders]

Revision as of 15:23, 5 October 2008

MAC times are timestamps of the latest modification, access or change of a certain file.

Disabling Last Access Time Stamp

Windows

Set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1.

This setting is default under Windows Vista.

Linux

Mount file system with noatime option.

Example

See Also

External Links