Does anyone know of an easy, relatively user friendly way to access the MFTs, specifically timestamps?
It's easy to alter timestamps in the file itself but the MFTs record and display the original settings do they not?
How do we recover these stamps?
Greetings,
I'd use a hex editor or EnCase, but if you want something a bit more user friendly, check this tool out
http//
I'm sure there are other tools out there.
Brian Carrier's _File System Forensics_ is a superb reference for understanding how to parse MFT entries.
-David
Thanks. I've tried Winhex, Xways, Encase and FTK but they all produce the altered timestamps.
I know there is a way but whichever software I use it always produces the new, not original, results.
The timestamp alteration tool I used is one I wrote myself. I don't believe for a second that I'm so good as to fool Encase or FTK. I wish I was!
Dave,
You need to look at the $FILE_NAME attribute of the record. Windows does not update the date and time files stored within.