Every file system handles MAC times slightly differently, however sleuthkit (as well as other forensics software products) use the same acronym/fields no matter which file system you’re analyzing. Here’s a quick run-down of some popular file systems and what the M, A, C, and B mean:
| File System | m | a | c | b |
| Ext2/3 | Modified | Accessed | Attribute modification and/or file content change | N/A |
| FAT | File Modified | Accessed | N/A | Created |
| NTFS | File Modified | Accessed | MFT Modified | Created |
| UFS | Modified | Accessed | Attribute modification and/or file content change | N/A |
And now, back to your regularly scheduled programming…
Leave a Reply