MAC (b) Times
The MAC (b) times are derived from file system Metadata.
MACB stands for:
- Changed ($MFT Modified)
- Birth (File Creation Time)
Not all file systems record a birth time. Only NTFS Files systems will record it.
Where are MACB times stored?
It is basically stored in two places —
The First Place is:
- $STANDARD_INFO Attribute
- It stores file metadata such as flags, the file SID, the file
- Owner and a set of MAC(b) timestamps
- It is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps
The Second Place is:
- $FILE_NAME Attribute
- $FILE_NAME ($FN) contains the filename in Unicode and another set of MAC(b) timestamps
Difference between $STANDARD_INFO & $FILE_NAME:
$STANDARD_INFO can be modified by user level processes.
$FILE_NAME can only be modified by the system kernel. There are no known anti-forensics tools that can modify this.
Now let’s see how a Modified/Accessed/Created time will be created:
A file is created and modified some data:
This Indicates that I have created this text file on 23 October 2020 04:46:17PM
As the same, the Created Time will be Changed when the file is copied.
This Indicates that the data in the text file has been last modified on 23 October 2020 04:50:54 PM
So the Modified time will be changed when the data is modified or new data is created.
This Indicates that the file has been last accessed on 23 Oct 2020 04:50:54
The Accessed time will be changed when the data is copied, moved or accessed.