MAC times

MAC times are pieces of file system metadata which record when certain events pertaining to a computer file occurred most recently. The events are usually described as "modification" (the data in the file was modified), "access" (some part of the file was read), and "metadata change" (the file's permissions or ownership were modified), although the acronym is derived from the "mtime", "atime", and "ctime" structures maintained by Unix file systems. Windows file systems do not update ctime when a file's metadata is changed, instead using the field to record the time when a file was first created, known as "creation time" or "birth time". Some other systems also record birth times for files, but there is no standard name for this metadata; ZFS, for example, stores birth time in a field called "crtime". MAC times are commonly used in computer forensics.[1][2] The name Mactime was originally coined by Dan Farmer, who wrote a tool with the same name.[3]

Modification time (mtime)

A file's modification time describes when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in that location, the modification time will be updated even though the contents did not technically change.

Access time (atime)

A file's access time identifies when the file was most recently opened for reading. Access times are usually updated even if only a small portion of a large file is examined. A running program can maintain a file as "open" for some time, so the time at which a file was opened may differ from the time data was most recently read from the file.

Because some computer configurations are much faster at reading data than at writing it, updating access times after every read operation can be very expensive. Some systems mitigate this cost by storing access times at a coarser granularity than other times; by rounding access times only to the nearest hour or day, a file which is read repeatedly in a short time frame will only need its access time updated once.[4] In Windows, this is addressed by waiting for up to an hour to flush updated access dates to the disk.[5]

Some systems also provide options to disable access time updating altogether. In Windows, starting with Vista, file access time updating is disabled by default.[6]

Change time and creation time (ctime)

Unix and Windows file systems interpret 'ctime' differently:

  • Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This file's metadata was changed on 05/05/02 12:15pm').
  • Windows systems use ctime to mean 'creation time' (also called 'birth time') (e.g. 'This file was created on 05/05/02 12:15pm').

This difference in usage can lead to incorrect presentation of time metadata when a file created on a Windows system is accessed on a Unix system and vice versa. Although not specified by POSIX, most modern Unix file systems (such as ext4, HFS+, ZFS, and UFS2) allow to store the creation time.[7] NTFS stores both the creation time and the change time.

The semantics of creation times is the source of some controversy. One view is that creation times should refer to the actual content of a file: e.g. for a digital photo the creation time would note when the photo was taken or first stored on a computer. A different approach is for creation times to stand for when the file system object itself was created, e.g. when the photo file was last restored from a backup or moved from one disk to another.

Metadata issues

As with all file system metadata, user expectations about MAC times can be violated by programs which are not metadata-aware. Some file-copying utilities will explicitly set MAC times of the new copy to match those of the original file, while programs that simply create a new file, read the contents of the original, and write that data into the new copy, will produce new files whose times do not match those of the original.

Some programs, in an attempt to avoid losing data if a write operation is interrupted, avoid modifying existing files. Instead, the updated data is written to a new file, and the new file is moved to overwrite the original. This practice loses the original file metadata unless the program explicitly copies the metadata from the original file. Windows is not affected by this due to a workaround feature called File System Tunneling.[8]

See also

References

  1. Luque, Mark E. (2002). "Logical Level Analyses of Linux Systems". In Casey, E. (ed.). Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 182–183. ISBN 0-12-163103-6.
  2. Sheldon (2002). "Forensic Analyses of Windows Systems". In Casey, E. (ed.). Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 134–135. ISBN 0-12-163103-6.
  3. Dan Farmer (October 1, 2000). "What Are MACtimes?". Dr Dobb's Journal.
  4. "File Times". Microsoft MSDN Library.
  5. "File Times". Microsoft MSDN Library.
  6. "Disabling Last Access Time in Windows Vista to improve NTFS performance". The Storage Team at Microsoft.
  7. Thierry, Aurélien; Müller, Tilo (April 2022). "A systematic approach to understanding MACB timestamps on Unix-like systems". Forensic Science International: Digital Investigation. 40, Supplement: 301338. doi:10.1016/j.fsidi.2022.301338. S2CID 247735761.
  8. "Windows NT Contains File System Tunneling Capabilities". Microsoft Support.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.