File Created, File Accessed, File Modified
Created by: Chris Jensen
Created date: February 19, 2015 18:01
Last Updated date: March 07, 2016 16:35
For every file on an NTFS volume, there are the following dates:
1.
2.
3.
4.
File Created
File Accessed
File Modified
MTF last written
Each of these dates are explained below:
File Created: This is the date the file was “created” on the volume. This does not
change when working normally with a file, e.g. opening, closing, saving, or modifying
the file.
File Accessed: This is the date the file was last accessed. An access can be a move, an
open, or any other simple access. It can also be tripped by Anti-virus scanners, or
Windows system processes. Therefore caution has to be used when stating a “file was
last accessed by user XXX” if there is only the “File Access” date in NTFS to work
from.
File Modified: This date as shown by Windows there has been a change to the file
itself. E.g a notepad document is has more date added to it, would trip the date it was
modified.
MFT Entry Modified: A basic understanding of NTFS and the MFT is required for
this section. This is a date not shown by Windows Explorer or the average windows
interface, but requires forensic tools , e.g EnCase, FTK, iLook, WinHex, etc. This date
shows when the MFT entry, which points to the file of concern, was changed. This
means that if the record that points to the file is changed, then this date would trip. As
all the dates, file name, file sizes are stored in the MFT, if any of those are changed then
the date will change. For example, if the file size changes then the MFT Entry modified
date is changed. If the file name is changed, than the MFT entry modified is changed.