How can I display all 8 NTFS timestamps?

Question

I understand that there are 8 NTFS timestamps

http://www.governmentsecurity.org/forum/topic/30896-frustrating-ntfs-time-stamp-forensics/

NTFS MACE (Modified, Accessed, Created and MFT Entry modified ) values . NTFS comes with 8 time-stamp values 4 of which resides in $Standard_Information attribute (SI) and the other 4 in $FILE_NAME (FN) attribute of MFT entry.

How can I display all 8?

Answer 1

This command can do it

MFTRCRD.exe c:\crp\a.a -d indxdump=off 1024 -s

As for how I knew the parameters, well, doing MFTCRD said there are 4 parameters and gave an example of MFTRCRD C:\boot.ini -d indxdump=off 1024 -s so you can change for whatever filename/path.

C:\blah>MFTRCRD.exe c:\crp\a.a -d indxdump=off 1024 -s

Starting MFTRCRD by Joakim Schicht
Version 1.0.0.37

Target is a File
Filesystem on c: is NTFS
File IndexNumber: 64587
............................
$STANDARD_INFORMATION 1:
File Create Time (CTime): 2014-12-06 03:49:51:714:3290
File Modified Time (ATime): 2015-09-15 16:23:33:791:7170
MFT Entry modified Time (MTime): 2015-09-15 16:23:33:791:7170
File Last Access Time (RTime): 2014-12-06 03:49:51:794:3335
...........

$FILE_NAME 1:
Parent MFTReference: 80564
ParentSequenceNo: 10
File Create Time (CTime): 2014-12-06 03:49:51:714:3290
File Modified Time (ATime): 2014-12-06 03:49:51:794:3335
MFT Entry modified Time (MTime): 2014-12-06 03:49:51:794:3335
File Last Access Time (RTime): 2014-12-06 03:49:51:794:3335

(note those abbreviations from MFTRCRD of ATime for modified and others, like Rtime, look really absurd e.g. googling Rtime doesn't show anything. So you can ignore the abbreviations that that command gives you and go by the descriptions. But there are abbreviations that linux uses (MAC) and that windows NTFS uses (MACE) which I describe below)

Linux does not store the time the file was created. (updated- some modern linux file systems do, see note at the end) Windows does creation time.

It looks like Linux has 3 times. MAC time. mtime atime ctime . In Linux, ctime is changed time, rather than creation time, and the 'changed' time, in linux is different to the file being modified (the modified time). The changed time in linux is when the entry in the file system got changed e.g. when / even when, the file permissions change, then the ctime in linux changes.

Windows NTFS uses MACE and the C in MACE is creation. The E in MACE seems to be like the c in linux i.e. the E in MACE is the entry being changed.

http://forensicswiki.org/wiki/MAC_times MAC times The term MAC times refers to the timestamps of the latest modification (mtime) or last written time, access (atime) or change (ctime) of a certain file.

Unix systems maintain the historical interpretation of ctime as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').

Windows systems are the only systems that use birth (btime) or creation (crtime) time (e.g. 'This file was created on 05/05/02 12:15pm'). Hence MACB; Modification, Access, Change and Birth.

Further look at linux for contrast is beneficial.

http://www.linux-faqs.info/general/difference-between-mtime-ctime-and-atime

A common mistake is that ctime is the file creation time. This is not correct, it is the inode/file change time. mtime is the file modification time. A often heard question is "What is the ctime, mtime and atime?".This is confusing so let me explain the difference between ctime, mtime and atime. ctime

ctime is the inode or file change time. The ctime gets updated when the file attributes are changed, like changing the owner, changing the permission or moving the file to an other filesystem but will also be updated when you modify a file.

mtime

mtime is the file modify time. The mtime gets updated when you modify a file. Whenever you update content of a file or save a file the mtime gets updated.

Most of the times ctime and mtime will be the same, unless only the file attributes are updated. In that case only the ctime gets updated.

atime

atime is the file access time. The atime gets updated when you open a file but also when a file is used for other operations like grep, sort, cat, head, tail and so on.

cygwin can show 4 time stamps, as can timestomp

c:\blah>timestomp a.a -v
Modified:                 Tuesday 9/15/2015 17:23:33
Accessed:                Saturday 12/6/2014 4:49:51
Created:                 Saturday 12/6/2014 4:49:51
Entry Modified:           Tuesday 9/15/2015 17:23:33

-

$ stat a.a
  File: 'a.a'
  Size: 45              Blocks: 4          IO Block: 65536  regular file
Device: b411d580h/3021067648d   Inode: 102738366499454027  Links: 1
Access: (0070/----rwx---)  Uid: ( 1000/  harvey)   Gid: (  513/    None)
Access: 2014-12-06 03:49:51.794333500 +0000
Modify: 2015-09-15 17:23:33.791717000 +0100
Change: 2015-09-15 17:23:33.791717000 +0100
 Birth: 2014-12-06 03:49:51.714329000 +0000

Apparently setMACE is like timestomp but better. However, I can't see it showing the 8 timestamps. And the setMACE description mentioned MFTCRD that shows the timestamps.

You can get MFTRCRD from here https://github.com/jschicht/MftRcrd

Github seems to be a bit odd, don't right click and save as, otherwise it's an HTML file with extension EXE. And when you try to run it on cmd you get an error on cmd about 64bit and 32bit. Try left clicking it then the next page gives you a download of the actual file. And you need to be in an administrative command prompt, otherwise you get a mesage about do you trust programs from this publisher, and if you say yes then a cmd window flashes up and goes(and whether cmd /k or not). But it works fine from an administrative cmd prompt.

ADDED

Some modern linux file systems store file creation time. (may be known as crtime. Definitely not ctime, for reasons mentioned above)

https://unix.stackexchange.com/questions/91197/how-to-find-creation-date-of-file