A friend of mine she asked me how to check all timestamps of a file on an NTFS volume. She did not have EnCase or FTK in hand. So I gave her FTK Imager and showed her the creation time, access time and modified time of a file. All she need to do is to take a look at properties of file.
You guys could take a look at my blog to see the screenshots.
http//
Second I showed her another option - Winhex. Check Options->Directory Browser to make sure all four timestamps will show up in file lists. Now she could see all four timestamps in local time format in file lists.
The four timestamps that are actually eight? ?
http//
http//
On github
https://
Particularly
https://
See
http//
jaclaz
Between the $STANDARD_INFORMATION and $FILE_NAME attributes, I've seen a total of 12 (and in some cases, 16) time stamps. I use a Perl script to parse through and display these values. The Perl script can be 'compiled' into a standalone .exe file for Windows systems.
I have seen 9 timestamps D
I think we can agree on "double or more" than the original 4. wink
The actual number should be 4+4 or 4+8 for a "normal" file, depending on filename length, as explained by Joakim on the given links.
jaclaz
I think we can agree on "double or more" than the original 4. wink
The actual number should be 4+4 or 4+8 for a "normal" file, depending on filename length, as explained by Joakim on the given links.
jaclaz
Don't forget about hard links and Object IDs.
Don't forget about hard links and Object IDs.
Sure ) , that's why I expressly specified "normal" files. roll
But we could go for "at least eight" wink .
jaclaz
Don't forget about hard links and Object IDs.
Sure ) , that's why I expressly specified "normal" files. roll
But we could go for "at least eight" wink .
jaclaz
"Normal" files on internal drives are expected to have Object IDs )
"Normal" files on internal drives are expected to have Object IDs )
But strictly speaking an Object ID is not a timestamp, it is a GUID.
https://
And it seems like there are cases where no Obiect_ID is associated to files
https://
jaclaz
"Normal" files on internal drives are expected to have Object IDs )
But strictly speaking an Object ID is not a timestamp, it is a GUID.
https://0cch.com/ntfsdoc/attributes/object_id.html And it seems like there are cases where no Obiect_ID is associated to files
https://digital-forensics.sans.org/blog/2009/12/24/ntfs-attributes-part-one jaclaz
But this GUID includes a timestamp.