Is there anyone helf this case
What is the diffrence NTFS file record $FILENAME and $STANDART_INFORMATION timestamps?
We are trying to find out the image changing and corruption.There is only image and there is not operating system
Some of them says this is kernel time stamp What is it? What is source of it? Bios or what?
Thanks a lot 
Seniors caution? 😯
http//
What EXACTLY are you trying to do?
Who are the "we"? (in "We are trying to find out….")
Who are the "them"? (in "Some of them says this ….")
Which program produces the screenshot you posted?
Do you mean this?
http//
http//
N.B. All fields, except the parent directory, are only updated when the filename is changed. Until then, they just become out of date. $STANDARD_INFORMATION Attribute, however, will always be kept up-to-date.
What is the doubt?
jaclaz
Student trying to get us to do his homework, I'm wagering.
i am not student turkish national police anti terror computer forensics department dude
we are amateur i know but not arrogant as you
the program is active undelete disk editor
the question is can we understant any file change from this timestamps and what is the source of timestamps
i am not student turkish national police anti terror computer forensics department dude
Dude? 😯
we are amateur i know but not arrogant as you
Ah well, isn't accusing someone else of arrogance also a sign of arrogance? ?
the program is active undelete disk editor
Good. )
the question is can we understant any file change from this timestamps and what is the source of timestamps
If you can read the given resource AND you have a basic understanding of how (generically) file systems work AND specifically how NTFS works, I can see no issues in your understanding the matter.
It is not particularly difficult or advanced topic but the behaviour of different Operating Systems on different NTFS versions may be (slightly) different, so it is not something that can be summed up in a forum reply, there are several good public resources on the internet (and one among the best ones was provided in my previous post) and at least one "must have" book which is "File System Forensic Analysis" by Brian Carrier.
You need to be familiar with the "basics", which essentially are that on NTFS timestamps are UTC
http//articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/
http//
of course based on the current system date/time and timezone (+ daylight savings time if any).
So the "source" is current date/time settings in OS, but the data is "translated back" to UTC, and saved in the above described format of 100-nanosecond intervals since 1200 A.M. January 1, 1601.
jaclaz
thanks o lot jaclaz it was so helpful
Seniors caution?
Google translate, probably. Bing translate makes it into 'Watch out for adults'.
@OP There's a useful article called 'The Rules of Time on NTFS File System'. It's available on the net so you can just google for it.
Google translate, probably. Bing translate makes it into 'Watch out for adults'.
Yep ) , most probably the original was something like "Advice from seniors (needed)" or "To the attention of seniors/experts".
It seems like "dikkat"
https://
is translated both as "attention" and "caution"
Sometimes it is really fun to see the effects of Google (or Bing) translate.
jaclaz