ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Accessed Time
  • Modified Time
  • Creation Time
  • Metadata Change Time

Was this helpful?

  1. Windows
  2. File Ops
  3. Search

Time

Accessed Time

All accessed times:

dir /ta

All accessed times, recursive:

dir /ta /s

Accessed on EXACT date:

dir /ta /s | findstr "01/17/2024"

Accessed on EXACT date:

Get-ChildItem -Path C:\ -Recurse -Filter "*.*" -LastAccessTime "02/16/2024"

Accessed AFTER, recursive:

Get-ChildItem "C:\path" -Recurse | Where-Object { $_.LastAccessTime -gt "MM/DD/YYYY" }

Accessed BEFORE, recursive:

Get-ChildItem "C:\path" -Recurse | Where-Object { $_.LastAccessTime -lt "MM/DD/YYYY" }

Accessed within date range:

$startDate = Get-Date "MM/DD/YYYY"; $endDate = Get-Date "MM/DD/YYYY"; Get-ChildItem -Path "C:\path" -Recurse | Where-Object { $_.LastAccessTime -gt $startDate -and $_.LastAccessTime -lt $endDate }

Modified Time

All modified times:

dir /tw

All modified times, recursive:

dir /tw /s

Modified on EXACT date:

dir /tw /s | findstr "01/17/2024"

Modified on EXACT date /m allows wildcards:

forfiles /P /M "*.*" /S /D "-02/16/2024"

Modified on EXACT date:

Get-ChildItem -Path C:\ -Recurse -Filter "*.*" -LastWriteTime "02/16/2024"

Modified AFTER, recursive:

forfiles /P "C:\path" /S /D +MM/DD/YYYY

Modified AFTER, recursive:

Get-ChildItem "C:\path" -Recurse | Where-Object { $_.LastWriteTime -gt "MM/DD/YYYY" }

Modified BEFORE, recursive:

forfiles /P "C:\path" /S /D -MM/DD/YYYY

Modified BEFORE, recursive:

Get-ChildItem "C:\path" -Recurse | Where-Object { $_.LastWriteTime -lt "MM/DD/YYYY" }

Modified within date range:

$startDate = Get-Date "MM/DD/YYYY"; $endDate = Get-Date "MM/DD/YYYY"; Get-ChildItem -Path "C:\path" -Recurse | Where-Object { $_.LastWriteTime -gt $startDate -and $_.LastWriteTime -lt $endDate }

Creation Time

All creation times:

dir /tc

All creation times, recursive:

dir /tc /s

Creation on EXACT date:

dir /tc /s | findstr "01/17/2024"

Creation on EXACT date:

Get-ChildItem -Path C:\ -Recurse -Filter "*.*" -CreationTime "02/16/2024"

Creation AFTER, recursive:

Get-ChildItem "C:\path" -Recurse | Where-Object { $_.CreationTime -gt "MM/DD/YYYY" }

Creation BEFORE, recursive:

Get-ChildItem "C:\path" -Recurse | Where-Object { $_.CreationTime -lt "MM/DD/YYYY" }

Created within date range:

$startDate = Get-Date "MM/DD/YYYY"; $endDate = Get-Date "MM/DD/YYYY"; Get-ChildItem -Path "C:\path" -Recurse | Where-Object { $_.CreationTime -gt $startDate -and $_.CreationTime -lt $endDate }

Metadata Change Time

Combining FORFILES and PowerShell:

forfiles /S /M "*.*" /C "cmd /c powershell -NoProfile (Get-ChildItem -Path %p).LastWriteTimeUtc -ne (Get-ChildItem -Path %p).CreationTimeUtc"

Explanation:

FORFILES /S /M "*.*" iterates through files recursively.

/C "cmd /c ..." executes a command for each file.

PowerShell within the command checks if the LastWriteTimeUtc differs from CreationTimeUtc, indicating metadata change.

This is not definitive.

The last write time can be different than the creation time if the file content was modified.

PreviousFilenameNextSize

Last updated 1 year ago

Was this helpful?

🪟