File Times

When an investigator or forensic analyst wants to develop a timeline of activity on a system, one of the most useful pieces of information is file times. Files on a live system have three file times associated with them; the last time the file was modified, the last time the file was accessed, and the date and time the file was created. Collectively, these file times are referred to as “MAC times.” These times are usually modified by applications, based on user's actions. For example, when a text file is opened in Notepad, the last access time is modified. If the user makes any changes to the file, the last modification time will be updated.

File times can be viewed by using the dir command with the appropriate switches. The /T switch, ...

Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.