Notifications
Clear all

MAC Times question?

4 Posts
2 Users
0 Likes
311 Views
(@joesisson)
Posts: 4
New Member
Topic starter
 

Thanks in advance

I am working a case (older computer) running Windows Vista. I am tasked with verifying times on a document. I am using Magnet Forensics and FTK as my tools. I have already verified that the access times are still off by default in the registry. I am viewing the Created time 6-4-10 and the Last Mod time 6-4-10 in Magnet Forensics, when I also see the column showing a File System Created time of 5-28-2010?? I then view the same document in FTK which shows the Mod time of 6-4-10 and a Created time of 5-28-10.

I have searched the internet (google) for File System Times and this Forum, but can't find a post or website that can distinguish between the two.jsisson@lexingtonpolice.ky.gov

So here is my question

I am actively researching the difference between the File System time MAC's and the Last MAC's.

Thanks,

Joe

 
Posted : 06/10/2015 7:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

A couple of things…

1. What is "the Last MAC's."?

2. What file system are you looking at? FAT? FAT32? NTFS?

 
Posted : 12/10/2015 4:00 pm
(@joesisson)
Posts: 4
New Member
Topic starter
 

The "Last MAC's" is what IEF refers to when speaking about the Modified, Accessed (turned off by default in Vista), and Created times. IEF places the word Last in front of these times and has a separate listing for a "File System" Last Modified, Accessed and Created times.

After doing some verification this is what I and with help from a "Forensic Focus" poster have found. The Last Modified time and Last Created Time match, the File System Modified Time, but does not match the Last File System Created Time. This was found to be because the word file was introduced to the computer and kept its File System Created Time. The computer generated a second Last Created Time when introduced to the computer for the first time. The Meta data supports this when exporting the word document out and looking at its details. I recreated this by moving a word document via USB from one computer to another.

This is a Vista computer and is running as a NTFS file system.

Thanks,

Joe

 
Posted : 13/10/2015 5:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The behavior you mention is pretty well documented in a number of online sources, including the Microsoft knowledgebase.

 
Posted : 14/10/2015 12:59 am
Share: