"A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).
The FAT file system stores time values based on the local time of the computer. For example, a file that is saved at 3:00pm PST in Washington is seen as 6:00pm EST in New York on an NTFS volume, but it is seen as 3:00pm EST in New York on a FAT volume.
The NTFS file system stores time values in UTC format, so they are not affected by changes in time zone or daylight saving time." MSDN
Why 1 January 1601?
This is to do with leap years having 400 years cycle and 1st of January 1601 being a Monday. If modulo (MOD) function is performed in a date integer mod 7 the result will be the day of the week.
(0=Sunday,1=Monday,2=Tuesday,3=Wednesday,4=Thursday,5=Friday,6=Saturday)
Day of the Week = Days Since 1601 MOD 7
There are five different time formats and it can be confusing.
.jpg)
The original FAT12/FAT16 file systems had only the last-modified time. The later FAT32 and NTFS file systems have three types of time stamps for each file.
1. Time when the file was First-created2. Time when the file was Last-modified3. Time when the file was Last-accessed
Here is how these values are changed by the Operating System (OS)
A quick picture reference to FAT and NTFS Date and Time stamps for files and folders based on Microsoft Article 299648.
.
.A file from FAT file system to FAT file System
A file from FAT file system to NTFS file System
A file from NTFS file system to NTFS file System
.
.Folder 2 copied into Folder 1
Folder 2 moved into Folder 1
Microsoft Article ID :127830 called "Time Stamps Change When Copying From NTFS to FAT" is also quite interesting. According to this article when a file copied from NTFS file system device to a FAT device, the time stamp is rounded to the nearest two seconds. It happens with FAT only because NTFS time stamps can end with even or odd number of seconds. So, NTFS time stamp 10:00:0:000 is going to be FAT time stamp 10:00:0:000, but anything more than NTFS 10 hours 00 min 0 sec 000, let's say NTFS 10:00:0:001 and up until 10:00:1:999 will produce FAT 10:00:2:000.
A Few Things To Keep In Mind
1. The NTFS Last Access Time Stamp updates can be easily disabled in registries on Windows NT , Windows 2000 and Windows XP.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Value Name: NtfsDisableLastAccessUpdateData Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.
Note that Windows Vista has Last Access Time updates disabled by default to improve NTFS performance. To operate correctly, some applications require the Last Access timestamps to be enabled. This can be easily done by issuing the following command: fsutil behavior set disablelastaccess 0 followed by computer restart.
2. Antivirus software requires access to files to read/scan them for viruses. After the scan is finished, the software restores the Last Access timestamp of files that are scanned to the original time before scanning. However, if a file was cured, the access and modification times are updated. (See my other post for details)
3. The accuracy of the timestamps depends on the internal clock. The NTFS file system has a precision of 100 nanosecond (ns), but the precision of the Windows internal clock is only 1 ms, for that reason the accuracy of timestamps in NTFS on Windows systems is limited to 1 ms.
--------
System Forensic Analysis book by Brian Carrier (highly recommended) helped me to undersand this material a bit better.
There is a great collection of academic papers about Date and Time stamp forensics. It can be found at Time Forensics website maintained by Svein Y. Willassen.
3 comments:
Andre,
These are some great graphics to simplify the explanation!
Thanks Lance,
'A good' picture tells a thousand words :-)
Andre, thank you. I'm moving on in year, so glancing at these pics brings it all back.
Post a Comment