I'm looking for a definitive definition of each of the 8 timestamps in an MFT File Record.
Attr 0x10 Offset 0x50 File createdÂ
Attr 0x10 Offset 0x58 File modifiedÂ
Attr 0x10 Offset 0x60 Record changedÂ
Attr 0x10 Offset 0x68 Last AccessÂ
Attr 0x30 Offset 0xB8 File createdÂ
Attr 0x30 Offset 0xC0 File modified
Attr 0x30 Offset 0xC8 Record changed
Attr 0x30 Offset 0xD0 Last Access
Â
What I'm looking for:
- Correct names for each offset
- What it stores precisely
- When exactly is it updated
- What each of the different sets of times means
So far I've got various snippets from discussion forums, from various software vendors and text books - but no amount of google of GPT4 searches gives me anything definitive.
Can anyone here help?
Thanks
Â
Â
Â
Â
Here is some good info on that:
Here is some good info on that:
I'd already checked that one out along with others - including:
https://www.forensicfocus.com/articles/interpretation-of-ntfs-timestamps/
<a href=" removed link "> removed link
However, I was looking for definitive information rather than second hand information.
In the several hours research I've done since posting this thread, I'm coming to the realisation there possibly is no such authoritative source.
As far as I know, MFT structures are not documented by Microsoft. After all, users are not supposed to manipulate them directly. If that is correct, you won't find anything that can be called 'authoritative', unless you find some old article on the design of NTFS by a Microsoft author that includes such details. (Brian Carrier used some names in his book -- he might have documented his source(s).)
The best you can do is, I believe, go for the Microsoft documentation and/or different SDK's. You will find articles such as:
https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfileinformationbyhandle
which accepts a LP_BASIC_INFO structure, in which there are four timestamps named, for example. Those are the names I preferred to use to describe the fields, when I had to.Â
However ... that is only what this particular API calls the time stamps. There are probably similar documentation for .NET, but I'm less familiar with those.
Other fields you list may not even be open to direct modification by user.
And authoritative info about exactly how they are used and when is something you have to ask Microsoft about. They have some kind of forensic liaison -- that may be the source. More likely is that you'll be informed that information can be obtained by licensing the NTFS file system source code. You'll need to sign an NDA for that, though.
Â
I quite like the flatcap NTFS documentaton, its basically used for the Linux driver (I believe)
https://flatcap.github.io/linux-ntfs/ntfs/attributes/index.html
