Windows timestamps forensics
Windows timestamps forensics

When a Windows system has a major update (for example 20H2, Build 19042) it changes the creation date of several system files (like NTUSER.dat.LOG1, NTUSER.dat.LOG2, etc. etc.) but it is not the case for minor updates which it regularly does on a weekly basis or so). 

Does said "minor" changes affect the timestamps on $MFT attributes $STANDARD_INFO and $FILE_NAME  (if yes, both or only one?). 

Under what circumstances is changed ONLY one of those attributes and leave the other unchanged?

A new Windows installation that preserve files would make a new $MFT and then copy the said attributes from the existing $MFT to the newly created? Will copy both, or will copy only one and the other (FILE_NAME) will take the installation date/time as the timestamp?


Posted : 04/11/2021 2:04 pm