Lets understand with example:
We have created table to understand NTFS Operations
1. Create Operation:
When a file is created, according to the table, all timestamps (Modified, Accessed, Created) are updated
2. Modify Operation:
When a file is modified, only the Modified timestamp is expected to change, while the Accessed and Created timestamps remain unchanged.
However, if NtfsDisableLastAccessUpdate is enabled (set to 0), the Access timestamp will be updated along with the Modified timestamp.
In this case its enabled:
3. Copy Operation:
When a file is copied using Windows Explorer, the Modified timestamp of the new file inherits from the original file, while the Created and Accessed timestamps are updated to the current time.
If a file is copied using the command line (cmd), the behavior is similar to using Windows Explorer. Both methods update the Created and Accessed timestamps of the copied file.
However:
But when we analyze $MFT File. We may actually see a difference. Because MFT will show us all the time stamps
($SI)These time stamps are which accessible by windows API
($FN) These time stamps are accessible by Windows kernel
4. File Access:
The behavior of the Access timestamp depends on the NtfsDisableLastAccessUpdate registry setting. If enabled, the Access timestamp will be updated upon file access.
-------------------------------------------------------------------------------------------------------------
Comments