MAC times

From ForensicsWiki
Revision as of 17:17, 28 October 2008 by .FUF (Talk | contribs)

Jump to: navigation, search

MAC times are timestamps of the latest modification (mtime), access (atime) or change (ctime) of a certain file.

Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').

Windows systems are the only systems that use ctime to mean creation time (e.g. 'This file was created on 05/05/02 12:15pm'). On NT FAT, create time has a resolution of 10 milliseconds, write time has a resolution of 2 seconds, and access time has a resolution of 1 day. On NTFS, access time has a resolution of 1 hour [1].


Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.

Disabling Last Access Time Stamp


Set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1.

This setting is default under Windows Vista.


Mount file system with noatime option.


See Also

External Links