CPT 499C Lecture 8 NTFS dates and times

CPT 499C Lecture 8 NTFS dates and times - NTFS Dates...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: NTFS Dates & Times Slide 1 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY File Dates and Times in NTFS NTFS Dates & Times Slide 2 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Learning Objectives The student will be able to Describe how date and time information is stored in MFT records Describe the default operating system rules for updates to dates and times Identify conditions that may unexpectedly change dates and times NTFS Dates & Times Slide 3 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY An Important Tip: ALWAYS Test conclusions drawn regarding dates and times- Under the conditions- Using the same OS- Using the same applications As the suspects drive NTFS Dates & Times Slide 4 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Storing Date and Time Info Two attributes store Date and Time info: $FILENAME Indicates changes to filename attribute Not always updated $STANDARD_INFORMATION Tracks changes to file* This is the value that will be examined NTFS Dates & Times Slide 5 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Storing Date and Time Info 4 values are stored Creation Date & Time Modification Date & Time MFT Last Modified Date & Time Last Access Date & Time Values stored in 64 bit format Little Endian 64 bit number represents complete date and time NTFS Dates & Times Slide 6 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Some minutiae The 64 bit value represents the number of 100 nanosecond intervals (1 tenth of a microsecond) that have passed since 12:00:00 AM January 1, 1601. The operating system evaluates this number, converts to seconds, minutes, hours, years, and adds it to 12 AM Jan 1 1601 (GMT). The number stored on disk is always referenced to GMT. For example, the 64 bit hex value 989680, stored in reverse byte order (little endian) as 80 96 98 00 00 00 00 00 on the disk (equivalent to 10,000,000 decimal) would indicate 1 second after Midnight on January 1, 1601. NTFS Dates & Times Slide 7 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Storing Date and Time Info 4 Values Stored in $STANDARD_INFORMATION Date and Time both stored as single value NTFS Dates & Times Slide 8 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Date and Time in MFT Record Creation Date and Time NTFS Dates & Times Slide 9 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Date and Time in MFT Record Modification Date and Time NTFS Dates & Times...
View Full Document

This note was uploaded on 02/29/2012 for the course CNIT 499 taught by Professor Timwedge during the Fall '07 term at Purdue University-West Lafayette.

Page1 / 34

CPT 499C Lecture 8 NTFS dates and times - NTFS Dates...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online