I understand NTFS file timestamp metadata includes the following:

  • Created
  • Accessed
  • Modified

This data is accessible in the Windows Explorer UI and elsewhere.

However, I believe the timestamp metadata includes

  • Changed

Apparently the Changed timestamp is when the file's master file table entry was changed (see https://app.pluralsight.com/library/courses/digital-forensics-file-systems-getting-started/).

How can I get access to this value?

  Do you need access specifically through Windows APIs?
  • Ultimately, yes maybe. However, initially I'd just like to see it's value to see if it helps what I'm trying to do. I have an installation that puts files on the machine with Created dates in the past. I wanted to have a look at the Changed timestamp and see if it gives a more useful value.
    
    
  • I've posted a question related to the Created date superuser.com/questions/1381364/…
    
    

According to my findings, the file Change Time field, also called MFT Timestamp, is not retrieved by using standard API functions, that only return the three standard times of created, modified and accessed.

To get the Change Time, you need to read the MFT entry of the file and analyze it yourself.

You will find an example PowerShell script that retrieves all MFT data in Technet :
Get MFT (ChangeTime) Timestamp of a file (download link).

An explanation of this script by the author is found in the article :
Finding a File’s MFT Timestamp using PowerShell.

  • Thanks. This answer led me to docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/… which returns a structure containing a ChangeTime value that in tests so far has correctly identified the date the files were put on the file system.
    
    
  • The script only works in Powershell 5.1, and I had to cast [FileBasicInformation] to [System.Type] as per this page to fix "structure must be blittable or have layout information" error.
    
    

