MAC times in computer forensics

Written by: Eric Vanderburg

MAC times are a form of metadata that record when files were created, modified and accessed and are named as follows:

  • Created time: ctime
  • Modification time: mtime
  • Access time: atime

You should be aware that the MAC times differ by file system and operating system and this can impact a forensic investigation if creation times are required for analysis from Windows and UNIX machines.  Traditional UNIX systems differ from Windows systems in their use of ctime.  Windows systems record the time and date when the file was created as the ctime but UNIX systems do not record the creation date and time.  Instead, they use ctime as thetime the file status last changed.  UNIX systems function this way because creation time is not a requirement in POSIX.  Macintosh systems that are based on UNIX have implemented a birth time (btime) in their HFS file system.  Later file systems including EXT4, Btrfs and JFS store the creation time.

Windows systems can be configured to stop tracking the modification MAC time by changing the value of the following registry key from 0 to 1.


Request Info

TCDI | Computer Forensics | Cybersecurity | Litigation Technology