How to check all ti...
 
Notifications
Clear all

How to check all timestamps of file

19 Posts
5 Users
0 Likes
5,102 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

A friend of mine she asked me how to check all timestamps of a file on an NTFS volume. She did not have EnCase or FTK in hand. So I gave her FTK Imager and showed her the creation time, access time and modified time of a file. All she need to do is to take a look at properties of file.

You guys could take a look at my blog to see the screenshots.
http//www.cnblogs.com/pieces0310/p/6280086.html

Second I showed her another option - Winhex. Check Options->Directory Browser to make sure all four timestamps will show up in file lists. Now she could see all four timestamps in local time format in file lists.

 
Posted : 12/01/2017 7:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The four timestamps that are actually eight? ?

http//reboot.pro/topic/15960-setmace/
http//reboot.pro/files/file/216-ntfs-tools-collection/

On github
https://github.com/jschicht?tab=repositories

Particularly
https://github.com/jschicht/MftRcrd

See
http//superuser.com/questions/973547/how-can-i-display-all-8-ntfs-timestamps

jaclaz

 
Posted : 12/01/2017 10:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Between the $STANDARD_INFORMATION and $FILE_NAME attributes, I've seen a total of 12 (and in some cases, 16) time stamps. I use a Perl script to parse through and display these values. The Perl script can be 'compiled' into a standalone .exe file for Windows systems.

 
Posted : 12/01/2017 11:06 pm
(@thefuf)
Posts: 262
Reputable Member
 

I have seen 9 timestamps D

 
Posted : 13/01/2017 12:10 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I think we can agree on "double or more" than the original 4. wink

The actual number should be 4+4 or 4+8 for a "normal" file, depending on filename length, as explained by Joakim on the given links.

jaclaz

 
Posted : 13/01/2017 12:54 am
(@thefuf)
Posts: 262
Reputable Member
 

I think we can agree on "double or more" than the original 4. wink

The actual number should be 4+4 or 4+8 for a "normal" file, depending on filename length, as explained by Joakim on the given links.

jaclaz

Don't forget about hard links and Object IDs.

 
Posted : 13/01/2017 1:10 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Don't forget about hard links and Object IDs.

Sure ) , that's why I expressly specified "normal" files. roll

But we could go for "at least eight" wink .

jaclaz

 
Posted : 13/01/2017 1:34 am
(@thefuf)
Posts: 262
Reputable Member
 

Don't forget about hard links and Object IDs.

Sure ) , that's why I expressly specified "normal" files. roll

But we could go for "at least eight" wink .

jaclaz

"Normal" files on internal drives are expected to have Object IDs )

 
Posted : 13/01/2017 2:29 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

"Normal" files on internal drives are expected to have Object IDs )

But strictly speaking an Object ID is not a timestamp, it is a GUID.
https://0cch.com/ntfsdoc/attributes/object_id.html

And it seems like there are cases where no Obiect_ID is associated to files
https://digital-forensics.sans.org/blog/2009/12/24/ntfs-attributes-part-one

jaclaz

 
Posted : 13/01/2017 2:58 pm
(@thefuf)
Posts: 262
Reputable Member
 

"Normal" files on internal drives are expected to have Object IDs )

But strictly speaking an Object ID is not a timestamp, it is a GUID.
https://0cch.com/ntfsdoc/attributes/object_id.html

And it seems like there are cases where no Obiect_ID is associated to files
https://digital-forensics.sans.org/blog/2009/12/24/ntfs-attributes-part-one

jaclaz

But this GUID includes a timestamp.

 
Posted : 13/01/2017 4:02 pm
Page 1 / 2
Share: