Computer Forensic MAC Times

MAC times in computer forensics

I was explaining some computer forensics topics to a customer the other day and I was asked what MAC times are.  I thought it would be a good idea to explain it here as well so that everyone could benefit.

MAC times

MAC times are a form of metadata that record when files were created, modified and accessed and are named as follows:

  • Created time: ctime
  • Modification time: mtime
  • Access time: atime

You should be aware that the MAC times differ by file system and operating system and this can impact a forensic investigation when creation times are required for analysis from Windows and UNIX machines.

UNIX and Windows variations on MAC time

Traditional UNIX systems differ from Windows systems in their use of ctime.  Windows systems record the time and date when the file was created as the ctime but UNIX systems do not record the creation date and time.  Instead, they use ctime as thetime the file status last changed.  UNIX systems function this way because creation time is not a requirement in POSIX.  Macintosh systems that are based on UNIX have implemented a birth time (btime) in their HFS file system.  Later file systems including EXT4, Btrfs and JFS store the creation time.

Windows systems can be configured to stop tracking the accessed MAC time by changing the value of the following registry key from 0 to 1.


About The Author

Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply