Quick Tip: Meaning of MAC times in different file systems

Every file system handles MAC times slightly differently, however sleuthkit (as well as other forensics software products) use the same acronym/fields no matter which file system you’re analyzing.  Here’s a quick run-down of some popular file systems and what the M, A, C, and B mean:

File System m a c b
Ext2/3 Modified Accessed Attribute modification and/or file content change N/A
FAT File Modified Accessed N/A Created
NTFS File Modified Accessed MFT Modified Created
UFS Modified Accessed Attribute modification and/or file content change N/A
And now, back to your regularly scheduled programming…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>