Filesystem Timestamps: What Makes Them Tick?
SANS published a fresh white paper by Richard Carbone. Here is the abstract:
The purpose of this paper is to delve into how file system timestamps work not only between NTFS, FAT32 and exFAT, but also between Windows Operating Systems. Currently, much disparaging information remains concerning file system analysis. The purpose of this research paper is to assist in putting together the work of the foremost experts in filesystem analysis concerning Created, Modified Changed, File Modified and Access dates and how they work across the spectrum of Microsoft Operating Systems. This information will be gathered from the three main file systems used by Microsoft. The functioning of these timestamps has a direct impact on both the findings and reporting conducted by forensicators in their day-to-day examinations. This paper hopes to serve as a centralized source of information in order to assist others with the necessary knowledge and understanding they need to correctly conduct digital forensic examinations.