search

Timestamps

hashtag
Commands

dir /tw <file>

Last Modified

dir /ta <file>

Last Access

dir /tc <file>

Creation

Get-Item <file> | Select-Object LastWriteTime

Last Modified

Get-Item <file> | Select-Object LastAccessTime

Last Access

Get-Item <file> | Select-Object CreationTime

Creation

Print the last modified date of all files in a directory

forfiles /p "C:\path\to\directory" /c "cmd /c echo @file @fdate"

Lists the Name and MAC times of C:\Windows:

wmic fsdir where (name="C:\\Windows") get lastmodified, lastaccessed, creationdate, name
wmic datafile where name="C:\\FileOfInterest' get creationdate,lastmodified,lastaccessed

View Creation Date of Processes w/ Proper Timestamps:

Get-WmiObject win32_process | select processname,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.CreationDate)}},ProcessId,CommandLine |sort CreationDate -desc | format-table -auto -wrap

Search a date range:

Get-ChildItem 'C:\' -recurse -include @("*.*") | Where-Object { $_.CreationTime -ge "03/01/2014" -and $_.CreationTime -le "04/14/2015" }
wmic datafile where "drive='c:' and path like '%\\%' and lastmodified>'20140414233423.000000-240' and lastmodified<'20140420233445.000000-240'" get name

Get time stamp of malicious exe and search for other files around the same time, going up or down a minute or two as needed

hashtag
Remote

hashtag
Timestamp Updates

Create Time

The create timestamp is updated anytime a file or directory is created from scratch or a copy is made.

Modify Time

The modification timestamp is updated anytime a file or directory is changed.

Access Time

The access timestamp is updated anytime the contents (including metadata) of a file or directory is touched to perform an action.

Entry Modify Time

The entry modified timestamp refers to the time when the Master File Table (MFT) entry itself was modified.

Creating a folder updates the - Modified, Access and Create Times (for the folder)

Creating a file updates the - Modified, Access and Creat Times (for the file)

Creating a file within a folder updates the - Modified and Access Times (for the folder)

Modifying a file updates the - Modified and Access Times (for the file)

Modifying a file updates the - Modified and Access Times (for the folder)

Moving a file into a folder/directory updates the - Modified and Access Times (for the folder/dir)

Moving a file into a folder/directory updates the - Access Time (for the file)

Copying a file into a folder/directory updates the - Access Time (for the directory the file was copied FROM)

Copying a file into a folder/directory updates the - Modified and Access Time (for the directory the file was copied TO)

The difference between a copy and move is that a COPY will create a new file at the destination and results in multiple files and a MOVE will create a new file at the destination and then erases the original file from its location by updating the Master File Table (MFT) to point to the new location.

The default action when a Drag and Drop function is performed within the same partition is a MOVE and when performed on a different partition is a COPY.

hashtag
Enable/Disable Last Access Update TIme

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

-> value of 1 means disabled (default in Vista+)

-> value of 0 means enabled (default in XP and earlier -if the key exists)

hashtag
Registry Locations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Contains information about the current time zone settings, including bias, standard time, and daylight saving time adjustments.

HKEY_USERS.DEFAULT\Control Panel\International

Stores user-specific international settings, including date and time formats, for the default user profile.

HKEY_CURRENT_USER\Control Panel\International

Contains the current user's international settings, including date and time formats, reflecting the user's locale preferences.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Holds configuration parameters for the Windows Time service, which is responsible for time synchronization in Windows.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Contains additional configuration settings for the Windows Time service, such as time correction settings and polling intervals.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders

Stores settings for various time providers used by the Windows Time service for time synchronization.

PreviousUsers (Owners)NextSize

Last updated