Interesting article on examining Time Stamps (defeating Timestomp? Filetime ?), in terms of highlighting differences between SI and FN attributes. In this article a Perl script is refered to (previously written by Harlan Carvey) to output results…
“.. Chronological data about the files on a Windows system are stored in something called the Master File Table or $MFT ..
– snip –
there are two places in the MFT that store this chronological data. One is the $Standard_Information ($S_I) attribute, and the other is the $File_Name ($F_N) attribute ..”
Cepogue, The Digital Standard, 23 February 2011
http://thedigitalstandard.blogspot.com/2011_02_01_archive.html – last access 26 February 2011 – ( Full Article )
February 26, 2011 | Categories: Analysis, Filetime, MFT, Perl, Software, Timestamps | Tags: Computer Forensics, Digital Forensics, MFT, NTFS, perl, timestamps | Comments Off on Time Stamps on NTFS, examination of the MFT