MAC times

From Forensics Wiki
Revision as of 16:17, 28 October 2008 by .FUF (Talk | contribs)

Jump to: navigation, search

MAC times are timestamps of the latest modification (mtime), access (atime) or change (ctime) of a certain file.

Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').

Windows systems are the only systems that use ctime to mean creation time (e.g. 'This file was created on 05/05/02 12:15pm'). On NT FAT, create time has a resolution of 10 milliseconds, write time has a resolution of 2 seconds, and access time has a resolution of 1 day. On NTFS, access time has a resolution of 1 hour [1].

Contents

NTFS

Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.

Disabling Last Access Time Stamp

Windows

Set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1.

This setting is default under Windows Vista.

Linux

Mount file system with noatime option.

Example

See Also

External Links