Difference between revisions of "MAC times"

From ForensicsWiki
Jump to: navigation, search
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
'''MAC times''' are timestamps of the latest ''modification'', ''access'' or ''change'' of a certain file.
+
The term '''MAC times''' refers to the timestamps of the latest ''modification'' (mtime) or last written time, ''access'' (atime) or ''change'' (ctime) of a certain file.
  
== Disabling Last Access Time Stamp ==  
+
[[Unix]] systems maintain the historical interpretation of ''ctime'' as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').
 +
 
 +
[[Windows]] systems are the only systems that use ''birth'' (btime) or creation time (e.g. 'This file was created on 05/05/02 12:15pm').
 +
 
 +
In [[NTFS]] each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.
 +
 
 +
Other file systems like [[HFS+|HFS]] include different timestamps like e.g. a backup time.
 +
 
 +
== Time resolution ==
 +
When dealing with MAC times it's important to know and understand the concept of time resolution.
 +
 
 +
On [[FAT]] file system (in Windows NT):
 +
* the creation time has a resolution of 10 milliseconds,
 +
* the last written time has a resolution of 2 seconds,
 +
* and the access time has a resolution of 1 day.
 +
 
 +
On NTFS, access time has a resolution of 1 hour [http://msdn.microsoft.com/en-us/library/ms724284.aspx].
 +
 
 +
== Access Time Update ==  
 +
On various operating systems the update of the access time can be disabled. This means when a file is accessed the atime in the corresponding file system entry is not updated.
  
 
=== [[Windows]] ===
 
=== [[Windows]] ===
  
Set the registry key ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate'' to ''1''.
+
In Windows the access time behavior is controlled by the registry key:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
 +
</pre>
  
This setting is default under [[Windows]] Vista.
+
Where a value of ''1'' indicates the access time update being disabled.
 +
 
 +
This is the default setting as for [[Windows]] Vista.
  
 
=== [[Linux]] ===
 
=== [[Linux]] ===
  
Mount [[file system]] with ''noatime'' option.
+
In Linux the ''noatime'' mount option indicates the access time update should be disabled.
 
+
== Example ==
+
  
 
== See Also ==
 
== See Also ==
Line 22: Line 44:
  
 
* [http://en.wikipedia.org/wiki/MAC_times Wikipedia: MAC times]
 
* [http://en.wikipedia.org/wiki/MAC_times Wikipedia: MAC times]
 +
* [http://www.drdobbs.com/what-are-mactimes/184404275 What Are MACtimes?], by Dan Farmer, Oct 2000
 +
 +
=== NTFS ===
 
* [http://www.winguides.com/registry/display.php/50/ Disable the NTFS Last Access Time Stamp]
 
* [http://www.winguides.com/registry/display.php/50/ Disable the NTFS Last Access Time Stamp]
 
* [http://support.microsoft.com/kb/299648 Microsoft KB 299648: Description of NTFS date and time stamps for files and folders]
 
* [http://support.microsoft.com/kb/299648 Microsoft KB 299648: Description of NTFS date and time stamps for files and folders]

Revision as of 01:33, 21 July 2012

The term MAC times refers to the timestamps of the latest modification (mtime) or last written time, access (atime) or change (ctime) of a certain file.

Unix systems maintain the historical interpretation of ctime as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').

Windows systems are the only systems that use birth (btime) or creation time (e.g. 'This file was created on 05/05/02 12:15pm').

In NTFS each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.

Other file systems like HFS include different timestamps like e.g. a backup time.

Time resolution

When dealing with MAC times it's important to know and understand the concept of time resolution.

On FAT file system (in Windows NT):

  • the creation time has a resolution of 10 milliseconds,
  • the last written time has a resolution of 2 seconds,
  • and the access time has a resolution of 1 day.

On NTFS, access time has a resolution of 1 hour [1].

Access Time Update

On various operating systems the update of the access time can be disabled. This means when a file is accessed the atime in the corresponding file system entry is not updated.

Windows

In Windows the access time behavior is controlled by the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

Where a value of 1 indicates the access time update being disabled.

This is the default setting as for Windows Vista.

Linux

In Linux the noatime mount option indicates the access time update should be disabled.

See Also

External Links

NTFS