MAC (b) Times
The MAC (b) times are derived from file system Metadata.
MACB stands for:
- Modified
- Accessed
- Changed ($MFT Modified)
- Birth (File Creation Time)
Not all file systems record a birth time. Only NTFS Files systems will record it.
Where are MACB times stored?
It is basically stored in two places —
The First Place is:
- $STANDARD_INFO Attribute
- It stores file metadata such as flags, the file SID, the file
- Owner and a set of MAC(b) timestamps
- It is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps
The Second Place is:
- $FILE_NAME Attribute
- $FILE_NAME ($FN) contains the filename in Unicode and another set of MAC(b) timestamps
Difference between $STANDARD_INFO & $FILE_NAME:
$STANDARD_INFO can be modified by user level processes.
$FILE_NAME can only be modified by the system kernel. There are no known anti-forensics tools that can modify this.
Now let’s see how a Modified/Accessed/Created time will be created:
A file is created and modified some data:
Created Date:
This Indicates that I have created this text file on 23 October 2020 04:46:17PM
As the same, the Created Time will be Changed when the file is copied.
Modified date:
This Indicates that the data in the text file has been last modified on 23 October 2020 04:50:54 PM
So the Modified time will be changed when the data is modified or new data is created.
Accessed Date:
This Indicates that the file has been last accessed on 23 Oct 2020 04:50:54
The Accessed time will be changed when the data is copied, moved or accessed.