Digital Forensics: How to View Timestamps in Mac OS

Digital Forensics: How to View Timestamps in Mac OS

MAC times

MAC times are a form of metadata that record when files were created, modified and accessed and are named as follows:

•     Created time: ctime
•     Modification time: mtime
•     Access time: atime

You should be aware that the MAC times differ by file system and operating system and this can impact a forensic investigation when creation times are required for analysis from Windows and UNIX machines.

 The three timestamps are:

• Access time (atime) - the last time the file was read
• Modify time (mtime) - the last time the file contents were changed
• Change time (ctime) - the last time the file permissions were changed

Digital Forensics Examiner

 stat -x filename

Stat -x filename

Download  MAC Times, Mac Times, and More - SANS Digital Forensics & Incident Response Summit 2017

MAC Times ,Mac TImes

MacOS HFS+ TIme Stamps

HFS+FILE Summary

 

UNIX and Windows variations on MAC time

Traditional UNIX systems differ from Windows systems in their use of ctime. Windows systems record the time and date when the file was created as the ctime, but UNIX systems do not record the creation date and time. Instead, they use ctime as the time the file status last changed. UNIX systems function this way because creation time is not a requirement in POSIX. Macintosh systems that are based on UNIX have implemented a birth time (btime) in their HFS file system. Later file systems including EXT4, Btrfs and JFS store the creation time.

ที่มา:
https://bit.ly/2NlsAxC
https://bit.ly/2YNLCBp

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud