Timestamp is extremely important in forensic investigation
- Created (Birthdate): File volume creation date/time
- Accessed: Last time File Data was Opened
- Modified: Last Time file Data was Changed
- Changed (Change in Metadata): Master file table entry was changed or changes in file attribute.
You can remember it as B-MAC
NTFS stores Time in UTC while FAT store time in Local Time.
Windows Timestamp file is located in $MFT (located in Root of NTFS)
$MFT Keep Tracks of all files along with Metadata.
Things to do when you suspect if the file timestamp is modified:
- Compare $SI and $FI because majority of anti-forensics tool can only modify $SI file.
- Another cool place is to check the /windows/Prefetch - Looks for Antiforenics tools like TimeStoms and parse the file to get more information.
- $FI File is only modifiable by windows kernal (Consider it as a source of truth)
- Utilized AnalyzeMFT for investigation.