CPT 499C Lecture 8 NTFS dates and times

CPT 499C Lecture 8 NTFS dates and times - NTFS Dates&...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: NTFS Dates & Times Slide 1 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY File Dates and Times in NTFS NTFS Dates & Times Slide 2 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Learning Objectives • The student will be able to – Describe how date and time information is stored in MFT records – Describe the default operating system rules for updates to dates and times – Identify conditions that may unexpectedly change dates and times NTFS Dates & Times Slide 3 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY An Important Tip: ALWAYS Test conclusions drawn regarding dates and times- Under the conditions- Using the same OS- Using the same applications As the suspect’s drive NTFS Dates & Times Slide 4 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Storing Date and Time Info • Two attributes store Date and Time info: • $FILENAME – Indicates changes to filename attribute – Not always updated • $STANDARD_INFORMATION – Tracks changes to file* – This is the value that will be examined NTFS Dates & Times Slide 5 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Storing Date and Time Info • 4 values are stored – Creation Date & Time – Modification Date & Time – MFT Last Modified Date & Time – Last Access Date & Time • Values stored in 64 bit format – “Little Endian” – 64 bit number represents complete date and time NTFS Dates & Times Slide 6 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Some minutiae… • The 64 bit value represents the number of 100 nanosecond intervals (1 tenth of a microsecond) that have passed since 12:00:00 AM January 1, 1601. The operating system evaluates this number, converts to seconds, minutes, hours, years, and adds it to 12 AM Jan 1 1601 (GMT). The number stored on disk is always referenced to GMT. • For example, the 64 bit hex value 989680, stored in reverse byte order (little endian) as 80 96 98 00 00 00 00 00 on the disk (equivalent to 10,000,000 decimal) would indicate 1 second after Midnight on January 1, 1601. NTFS Dates & Times Slide 7 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Storing Date and Time Info • 4 Values – Stored in $STANDARD_INFORMATION – Date and Time both stored as single value NTFS Dates & Times Slide 8 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Date and Time in MFT Record Creation Date and Time NTFS Dates & Times Slide 9 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Date and Time in MFT Record Modification Date and Time NTFS Dates & Times...
View Full Document

{[ snackBarMessage ]}

Page1 / 34

CPT 499C Lecture 8 NTFS dates and times - NTFS Dates&...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online