This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn
MAC times are timestamps of the latest modification (mtime), access (atime) or change (ctime) of a certain file.
Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').
Windows systems are the only systems that use ctime to mean creation time (e.g. 'This file was created on 05/05/02 12:15pm'). On NT FAT, create time has a resolution of 10 milliseconds, write time has a resolution of 2 seconds, and access time has a resolution of 1 day. On NTFS, access time has a resolution of 1 hour .
Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.
Disabling Last Access Time Stamp
Set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1.
This setting is default under Windows Vista.
Mount file system with noatime option.