Understanding Filesystem Timestamps: A Practical Guide for Investigators
- Mar 5, 2024
- 3 min read
Updated: Feb 17
In the digital forensics world, understanding how timestamps work is crucial. Modern operating systems, with their complexity, make timestamp analysis both fascinating and challenging. Whether you're tracking file modifications, uncovering malware activity, or investigating lateral movement, timestamps serve as valuable clues.
How Timestamps Can Change Unexpectedly
Files don’t always follow the expected timestamp update rules. Various software and system activities can modify timestamps, sometimes in ways that obscure forensic evidence. Here are some common offenders:
Microsoft Office Applications: These can update access times even when registry settings disable such changes.
Anti-Forensic & Malware Tools: Attackers use file system APIs to modify timestamps, making malicious files blend in.
Archiving Software: When extracting files from a ZIP or RAR archive, the modification time often reflects the original archive's date rather than when the file was actually unzipped.
Security Software & AV Scans: Some antivirus solutions update access timestamps during routine scans, making forensic analysis trickier.
Key Takeaway:
Timestamps should never be interpreted in isolation. Always correlate with other evidence, such as logs and system events, to understand why a timestamp changed.
Timestamps Over the Network: A Hidden Trail
Did you know timestamps follow the same rules even when files are transferred over a network? This has major implications for forensic investigations.
Lateral Movement and Timestamps
When an attacker moves files across systems using SMB (Server Message Block), the modification time of the file remains the same, while a new creation time is assigned. This tells us two things:
The modification time predates the creation time—indicating a copy operation.
The creation timestamp on the target system is the exact moment the file was transferred.
Why This Matters
Pivot Points in Investigations: The creation time can serve as a reference to correlate with logs and execution events.
Detecting Lateral Movement: Attackers often use net use, WMI, or PsExec to copy and execute malware remotely. SMB traffic analysis (e.g., PCAP files) can reveal timestamps matching those in the filesystem.
Registry Clues: The mountpoints2 NTUSER.DAT registry key can help identify locally and remotely mounted volumes, shedding light on attacker activity.
Key Takeaway:
Identifying files where the modification time predates the creation time can uncover unauthorized file transfers and lateral movement techniques.
Deciphering Timeline Analysis: The “MACB” Model
When analyzing a timeline, you'll encounter different timestamp types represented by the “MACB” notation:
M – Modified: Content of the file changed.
A – Accessed: The file was read or executed.
C – Metadata Changed: File attributes or permissions were altered.
B – Birth: The file’s creation time.
Example: Understanding a Timeline Entry
Let’s say you analyze C:\akash.exe and see these entries:
2025-02-17 16:20:37 m.c. C:\akash.exe
2025-02-17 16:25:12 .a.b C:\akash.exeWhat This Means:
The first line (m.c.) shows that modification and metadata change occurred at 16:20:37.
The second line (.a.b) tells us the file was accessed and created (copied) at 16:25:12.
Conclusion? The file was copied to the system at 16:25:12 and then modified at 16:20:37—confirming a past existence before it landed on the target machine.
Common Timestamp Combinations
Notation | Meaning |
m.cb | Modified, metadata changed, birth (created) |
.a.. | Accessed only |
mac. | Modified, accessed, metadata changed |
Key Takeaway:
Timeline analysis isn’t just about reading timestamps—it’s about understanding why those timestamps exist and what they reveal about past activities.
Challenges in Timestamp Forensics
Overwritten Evidence: Timestamps get updated with new modifications, erasing past data. You only see the latest modification, not the full history.
Time Skew Issues: If a system’s clock was incorrect or tampered with, timestamps could be misleading.
File System Differences: NTFS timestamps differ from FAT32, ext4, and other filesystems, so always consider the OS and format.
Final Thoughts: The Investigator’s Approach
To master timestamp forensics, you need more than just theoretical knowledge—you need an investigative mindset.
Correlate with Logs & Events: Match file timestamps with Windows Event Logs, Sysmon, and execution artifacts.
Leverage Registry Artifacts: Mountpoints2, shellbags, and recent file lists provide extra context.
Test Your Hypotheses: If something doesn’t add up, replicate it in a controlled environment.
By understanding how timestamps behave—and how they can be manipulated—you can uncover hidden traces left by attackers. Keep practicing,
keep investigating, and timestamps will become one of your most valuable forensic tools.
------------------------------------------------Dean-----------------------------------------------------
🔍 Want to Learn More?
Explore forensic tools like Plaso, Timesketch, and Velociraptor to take your timeline analysis skills to the next level!
Comments