I was explaining some computer forensics topics to a customer the other day and I was asked what MAC times are. I thought it would be a good idea to explain it here as well so that everyone could benefit.
MAC times are a form of metadata that record when files were created, modified and accessed and are named as follows:
- Created time: ctime
- Modification time: mtime
- Access time: atime
You should be aware that the MAC times differ by file system and operating system and this can impact a forensic investigation when creation times are required for analysis from Windows and UNIX machines.
UNIX and Windows variations on MAC time
Traditional UNIX systems differ from Windows systems in their use of ctime. Windows systems record the time and date when the file was created as the ctime but UNIX systems do not record the creation date and time. Instead, they use ctime as thetime the file status last changed. UNIX systems function this way because creation time is not a requirement in POSIX. Macintosh systems that are based on UNIX have implemented a birth time (btime) in their HFS file system. Later file systems including EXT4, Btrfs and JFS store the creation time.
Windows systems can be configured to stop tracking the accessed MAC time by changing the value of the following registry key from 0 to 1.