MAC (B) Timestamps

CSCC LABS
Oct 29, 2020

--

MAC (b) Times

The MAC (b) times are derived from file system Metadata.

MACB stands for:

  • Modified
  • Accessed
  • Changed ($MFT Modified)
  • Birth (File Creation Time)

Not all file systems record a birth time. Only NTFS Files systems will record it.

Where are MACB times stored?

It is basically stored in two places —

The First Place is:

  • $STANDARD_INFO Attribute
  • It stores file metadata such as flags, the file SID, the file
  • Owner and a set of MAC(b) timestamps
  • It is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps

The Second Place is:

  • $FILE_NAME Attribute
  • $FILE_NAME ($FN) contains the filename in Unicode and another set of MAC(b) timestamps

Difference between $STANDARD_INFO & $FILE_NAME:

$STANDARD_INFO can be modified by user level processes.

$FILE_NAME can only be modified by the system kernel. There are no known anti-forensics tools that can modify this.

Table Showing when the MAC times change and when they don’t

Now let’s see how a Modified/Accessed/Created time will be created:

A file is created and modified some data:

Created Date:

This Indicates that I have created this text file on 23 October 2020 04:46:17PM

As the same, the Created Time will be Changed when the file is copied.

Modified date:

This Indicates that the data in the text file has been last modified on 23 October 2020 04:50:54 PM

So the Modified time will be changed when the data is modified or new data is created.

Accessed Date:

This Indicates that the file has been last accessed on 23 Oct 2020 04:50:54

The Accessed time will be changed when the data is copied, moved or accessed.

--

--

CSCC LABS
CSCC LABS

Written by CSCC LABS

Cybersecurity Comprehensive Coverage

No responses yet