by Dr. Radut

type

In accordance with 4 time stamps which are Created time(crtime), Modifiled time aka Last Wrriten(mtime), Changed time aka Entry Modifiled(ctime) and Accessed time(atime), fte outputs type of time stamp to type column on some tab. It will be determined by micro information and combination with 4 time stamps, then objects(files/folders) are classified into one of pre-defined categories. It helps investigator to track specified objects.

The following are current pre-defined category.

FAT

Time stamps fit into FAT resolution.

  • atime - 1 day
  • mtime - 2 seconds
  • ctime - no value (1601/01/01 00:00:00+time zone on fte)
  • crtime - 10 millisecond

exFAT

Time stamps fit into exFAT resolution.

  • atime - 2 seconds
  • mtime, crtime - 10 millisecond
  • ctime - no value (1601/01/01 00:00:00+time zone on fte)

Unix(POSIX)

crtime, mtime and atime are Unix(POSIX) style timestamp (i.e. time stamp resolution is 1 second).

  • atime, mtime, ctime, crtime - 1 second

Objects on Ext2/3 and HFS+ through network share belong to this type.

DOS

ctime has 100 nanosecond resolution and the others are DOS style time stamp.

  • atime, mtime, crtime - 2 seconds
  • ctime - 100 nanosecond

Some application treat time stamp of objects as this type.

FAT/ZIP/LZH->NTFS

mtime is DOS style and the others have 100 nanosecond resolution.

  • atime, ctime, crtime - 100 nanosecond
  • mtime - 2 seconds

Usually mtime tends to maintained by copy operation. For example, object on FAT is copied into NTFS, the type is "FAT/ZIP/LZH->NTFS". Also, ZIP/LZH format adopts DOS style for mtime of target object. When it's extracted, common utility set this mtime to extracted object. So files from ZIP/LZH belong to "FAT/ZIP/LZH->NTFS". However, there are optional format in ZIP/LZH and it's possible to store Unix(POSIX) or FILETIME style. Eventually the behavior depends on implementation.

exFAT->NTFS

mtime has 10 millisecond resolution, the others has 10 nanosecond resolution.

  • atime, ctime, crtime - 100 nanosecond
  • mtime - 10 millisecond

For example, object on exFAT is copied into NTFS, the type is "exFAT->NTFS"

SYSTEMTIME

crtime, mtime and atime are SYSTEMTIME style, i.e. millisecond resolution.

  • atime, mtime, crtime - 1 millisecond
  • ctime - 100 nanosecond

Some utility utilize SYSTEMTIME style. As far as I know, "Change File Time Stamp" and "FileTouch" utility change timestamp using SYSTEMTIME API. For example if the timestamp of object are manipulated such utility, type is SYSTEMTIME.

FILETIME

None of the above applies, the type is FILETIME.

  • atime, mtime, ctime, crtime - 100 nanosecond
Tags
fte

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.