Timestamps
Commands
dir /tw <file>
Last Modified
dir /ta <file>
Last Access
dir /tc <file>
Creation
Get-Item <file> | Select-Object LastWriteTime
Last Modified
Get-Item <file> | Select-Object LastAccessTime
Last Access
Get-Item <file> | Select-Object CreationTime
Creation
Print the last modified date of all files in a directory
Lists the Name and MAC times of C:\Windows:
View Creation Date of Processes w/ Proper Timestamps:
Search a date range:
Get time stamp of malicious exe and search for other files around the same time, going up or down a minute or two as needed
Remote
Timestamp Updates
Create Time
The create timestamp is updated anytime a file or directory is created from scratch or a copy is made.
Modify Time
The modification timestamp is updated anytime a file or directory is changed.
Access Time
The access timestamp is updated anytime the contents (including metadata) of a file or directory is touched to perform an action.
Entry Modify Time
The entry modified timestamp refers to the time when the Master File Table (MFT) entry itself was modified.
Creating a folder updates the - Modified, Access and Create Times (for the folder)
Creating a file updates the - Modified, Access and Creat Times (for the file)
Creating a file within a folder updates the - Modified and Access Times (for the folder)
Modifying a file updates the - Modified and Access Times (for the file)
Modifying a file updates the - Modified and Access Times (for the folder)
Moving a file into a folder/directory updates the - Modified and Access Times (for the folder/dir)
Moving a file into a folder/directory updates the - Access Time (for the file)
Copying a file into a folder/directory updates the - Access Time (for the directory the file was copied FROM)
Copying a file into a folder/directory updates the - Modified and Access Time (for the directory the file was copied TO)
The difference between a copy and move is that a COPY will create a new file at the destination and results in multiple files and a MOVE will create a new file at the destination and then erases the original file from its location by updating the Master File Table (MFT) to point to the new location.
The default action when a Drag and Drop function is performed within the same partition is a MOVE and when performed on a different partition is a COPY.
Enable/Disable Last Access Update TIme
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
-> value of 1 means disabled (default in Vista+)
-> value of 0 means enabled (default in XP and earlier -if the key exists)
Registry Locations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Contains information about the current time zone settings, including bias, standard time, and daylight saving time adjustments.
HKEY_USERS.DEFAULT\Control Panel\International
Stores user-specific international settings, including date and time formats, for the default user profile.
HKEY_CURRENT_USER\Control Panel\International
Contains the current user's international settings, including date and time formats, reflecting the user's locale preferences.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Holds configuration parameters for the Windows Time service, which is responsible for time synchronization in Windows.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Contains additional configuration settings for the Windows Time service, such as time correction settings and polling intervals.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders
Stores settings for various time providers used by the Windows Time service for time synchronization.
Last updated
Was this helpful?