top of page
Search

Understanding Filesystem Timelines in Digital Forensics

  • Mar 3, 2024
  • 3 min read

Updated: Feb 17

Updated on 17 Feb,2025

When it comes to digital forensics, one of the most valuable tools in an investigator’s arsenal is the filesystem timeline. This technique allows forensic analysts to reconstruct events by examining file metadata, helping to determine when files were created, modified, accessed, or deleted


What is a Filesystem Timeline?

A filesystem timeline is a chronological record of file and directory activities within a given storage volume. It includes both allocated and unallocated metadata structures, which means it can provide insights into deleted or orphaned files as well.


Different filesystems store timestamps in unique ways, but most record four essential time values:

  • M (Modification Time): When the file’s content was last changed.

  • A (Access Time): The last time the file was opened or accessed.

  • C (Change Time): When the metadata of the file (like permissions, ownership, or name) was altered.

  • B (Birth Time or Creation Time): When the file was initially created on the system.


Supported Filesystems for Timeline Analysis

Modern forensic tools can parse timelines from various filesystem types, including:

  • NTFS (Windows)

  • FAT12/16/32 (Older Windows systems, external storage devices)

  • EXT2/3/4 (Linux)

  • ISO9660 (CD/DVD media)

  • HFS+ (Mac systems)

  • UFS1 & UFS2 (Unix-based systems)



NTFS Timestamps – The Gold Standard in Windows Forensics

The NTFS filesystem, used in most Windows environments, maintains four key timestamps (MACB). However, two timestamps often confuse beginners:


  • Change Time (C): Updated when a file is renamed, permissions change, or ownership is modified.

  • Access Time (A): Historically unreliable, as Windows has altered how frequently it updates access times, even delaying updates by up to an hour or disabling them altogether in some versions.


For practical forensic work, focusing on Modification (M) and Creation (B) times is usually the best approach, as they are more reliable indicators of file activity.


The Importance of Time Formats

One of the most crucial factors in forensic timeline analysis is understanding how different filesystems store timestamps:


  • NTFS timestamps are stored in UTC format, meaning they remain consistent regardless of time zone changes or daylight savings.

  • FAT timestamps use local time, which can lead to inconsistencies when analyzing files across different locations.


Additionally, NTFS uses a high-resolution 64-bit FILETIME structure, which counts time in 100-nanosecond intervals since January 1, 1601 (UTC). In contrast, UNIX systems count seconds since January 1, 1970.



How Actions Affect Timestamps

Different file actions impact timestamps in various ways. Here are some key forensic takeaways:

  • File Creation: All four timestamps (MACB) are set at the time of creation.

  • File Modification: Updates the M (modification), A (access), and C (metadata change) timestamps.

  • File Rename/Move (on the same volume): Only the C timestamp is updated.

  • File Deletion: No timestamps are updated (Windows doesn’t maintain a deletion timestamp).

  • File Copying: The copied file retains the M timestamp from the original but receives a new B (creation) timestamp, making it possible to detect copied files by spotting instances where the modification date is older than the creation date.

  • Command Line vs. GUI Moves: Interestingly, moving a file via the command line can produce different timestamp behaviors compared to using drag-and-drop in the Windows GUI.


The Challenges of Windows Version Differences

Different Windows versions handle timestamps in slightly different ways. For example:


  • Windows Vista disabled access time updates (later re-enabled in Windows 10 and 11).

  • Windows 10 vs. 11 timestamp behaviors are largely similar, but forensic experts should always test assumptions on a similar system before drawing firm conclusions.


Practical Takeaways for Investigators


  1. Prioritize M and B timestamps. They are the most consistent and useful in tracking file activity.

  2. Be cautious with A and C timestamps. These can be misleading due to system behaviors and version differences.

  3. Recognize copied files. If a file’s modified date is older than its creation date, it was likely copied from another source.

  4. Validate your findings. If timestamps play a crucial role in your investigation, test your hypothesis on a similar system to confirm expected behaviors.


Final Thoughts

Filesystem timelines are an incredibly powerful tool in digital forensics. Understanding how different filesystems handle timestamps, recognizing anomalies, and testing assumptions can make all the difference in an investigation.


-------------------------------------------------Dean----------------------------------------------------


 
 
 
bottom of page