MAC times

From Wikipedia, the free encyclopedia

MAC times are pieces of file system metadata identifying when certain events pertaining to a computer file occurred most recently. The events are usually described as "modification", "access", and "creation", although the acronym is derived from the "mtime", "atime", and "ctime" structures maintained by most file systems. MAC times are commonly used in computer forensics.

Contents 1 Modification time (mtime) 2 Access time (atime) 3 ctime and Creation time 4 Metadata issues 5 References 6 See also 7 External links

[edit] Modification time (mtime)

A file's modification time described when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in that location, the modification time will be updated even though the contents did not technically change.

[edit] Access time (atime)

A file's access time identifies when the file was most recently opened for reading. A running program can maintain a file as "open" for some time, so the time at which a file was opened may differ from the time data was most recently read from the file.

Access times are usually updated even if only a small portion of a large file is examined. Windows explorer is known to open many files when searching for icons to represent those files, and the number of MAC time updates can cause significant performance overhead in Windows systems. Disabling NTFS access time updating can eliminate this problem.

[edit] ctime and Creation time

Many file systems also maintain "ctime" data for each file, which records when certain file metadata was last changed. This metadata is rarely altered after file creation, so ctime usually corresponds with the notion of the file's time of creation. Some file systems store actual creation time (also called birth time) separately.

The semantics of creation times is the source of some controversy. One view is that creation times should refer to the actual content of a file: e.g. for a digital photo the creation time would note when the photo was taken or first stored on a computer. A different approach is for creation times to stand for when the file system object itself was created, e.g. when the photo file was last restored from a backup or moved from one disk to another.

[edit] Metadata issues

As with all file system metadata, user expectations about MAC times can be violated by programs which are not metadata-aware. Some file-copying utilities will explicitly set MAC times of the new copy to match those of the original file. Programs which simply create a new file, read the contents of the original, and write that data into the new copy, will produce new files whose ctimes do match those of the original.

Some programs, in an attempt to avoid losing data if a write operation is interrupted, avoid modifying existing files. Instead, the updated data is written to a new file, and the new file is moved to overwrite the original. This practice also loses the original ctime and creation time metadata.

[edit] References

• Casey: Computer Crime Investigation. Luque: Logical Level Analyses of Linux Systems: p 182-183. Sheldon: Forensic Analyses of Windows Systems p 134-135. ISBN 0-12-163103-6.

[edit] See also

• Computer forensics

[edit] External links

• Manual for a common program to edit a file's timestamps