也说说windows 文件系统 文件的三个时间 created time modified time accessed time
2013-04-29 11:28
302 查看
也说说windows 文件系统 文件的三个时间 created time, modified time, accessed time
工作需要,以前从不注意的windows
文件属性中的三个时间:created time, modified time, accessed time 到底指什么?通过调查和稍作实践,得出以下结论。
created time:
就是文件的最初创建时间(比如从网上下载保存、复制、新建等等)
modified time: 文件内容的改变(编辑),会导致该属性变化
accessed time:这个属性,其本意是如果文件以任何方式(浏览、编辑、移动。。。。)访问存取过,它的值就应该改变。但是其实根据系统版本的不同,它的默认行为是不同的。比如在我的x64 win7 professional
系统上,浏览文件内容,或者在同一个磁盘分区的不同目录中移动文件(剪贴再复制),文件的该属性值就不发生变化。只有在不同的磁盘分区间移动文件的时候,它的值才变化。
---------
另:
附加两个英文帖子的介绍(现在在google 个上搜索个技术文章,很多时候都因为封锁而打不开相关网页,还能说什么呢?这个2B的政府,在害怕国外言论的同时,也阻碍了技术交流。更不用说youtube上那么多好的技术资料视频,统统无法观看)
[1]
File / folder last accessed date and time attribute notes:
Sometimes last accessed time is changed due to some programs operation with files or folders. It might be antivirus software which accesses file for virus scanning purpose or Windows Explorer that extracts icon from executable file thus changing the last
accessed date.
Resolution of file last accessed date is 1 hour for NTFS and 1 day for FAT. This means that only access hour or day will be recorded for this file property, skipping access minutes or hours accordingly.
For improved file system performance Last Access time update is switched off since Windows Vista by default (also, Windows 2008 / 2008 R2, Windows 7). Thus, Last Access time attribute is set upon creating file and not changed afterwards even
if file is modified. However, it is possible to enable Last Access time updates if necessary.
To enable Last Access time updates open Registry Editor by typing
[2]
For every file on an NTFS volume, there are the following dates:
File Created
File Accessed
File Modified
MTF last written
Each of these dates are explained below:
File Created: This is the date the file was “created” on the volume. This does not change when working normally with a file, e.g. opening, closing, saving, or modifying the file.
File Accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by Anti-virus scanners, or Windows system processes. Therefore caution has to be used when stating
a “file was last accessed by user XXX” if there is only the “File Access” date in NTFS to work from.
File Modified: This date as shown by Windows there has been a change to the file itself. E.g a notepad document is has more date added to it, would trip the date it was modified.
MFT Entry Modified: A basic understanding of NTFS and the
MFT is required for this section. This is date not shown by Windows Explorer or the average windows interace, but requires forensic tools , e.g EnCase, FTK, iLook, WinHex, etc. This date shows when the MFT entry, which points to the file of concern, was
changed. This means that if the record that points to the file is changed, then this date would trip. As all the dates, file name, file sizes are stored in the MFT, if any of those are changed then the date will change. For example, if the file size changes
then the MFT Entry modified date is changed. If the file name is changed, than the MFT entry modified is changed.
There are another 4 dates in NTFS within the MFT, these will be covered later.
EnCase Date Formats:
Encase reports these dates in the following manner
File Created = EnCase “File Created”
File Accessed = EnCase “Last Accessed”
File Modified = Encase “Last Written”
MTF last written = Encase “Entry Modified”
工作需要,以前从不注意的windows
文件属性中的三个时间:created time, modified time, accessed time 到底指什么?通过调查和稍作实践,得出以下结论。
created time:
就是文件的最初创建时间(比如从网上下载保存、复制、新建等等)
modified time: 文件内容的改变(编辑),会导致该属性变化
accessed time:这个属性,其本意是如果文件以任何方式(浏览、编辑、移动。。。。)访问存取过,它的值就应该改变。但是其实根据系统版本的不同,它的默认行为是不同的。比如在我的x64 win7 professional
系统上,浏览文件内容,或者在同一个磁盘分区的不同目录中移动文件(剪贴再复制),文件的该属性值就不发生变化。只有在不同的磁盘分区间移动文件的时候,它的值才变化。
---------
另:
附加两个英文帖子的介绍(现在在google 个上搜索个技术文章,很多时候都因为封锁而打不开相关网页,还能说什么呢?这个2B的政府,在害怕国外言论的同时,也阻碍了技术交流。更不用说youtube上那么多好的技术资料视频,统统无法观看)
[1]
File / folder last accessed date and time attribute notes:
Sometimes last accessed time is changed due to some programs operation with files or folders. It might be antivirus software which accesses file for virus scanning purpose or Windows Explorer that extracts icon from executable file thus changing the last
accessed date.
Resolution of file last accessed date is 1 hour for NTFS and 1 day for FAT. This means that only access hour or day will be recorded for this file property, skipping access minutes or hours accordingly.
For improved file system performance Last Access time update is switched off since Windows Vista by default (also, Windows 2008 / 2008 R2, Windows 7). Thus, Last Access time attribute is set upon creating file and not changed afterwards even
if file is modified. However, it is possible to enable Last Access time updates if necessary.
To enable Last Access time updates open Registry Editor by typing
regeditin Search input on Start Menu, locate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystempath entry and change
NtfsDisableLastAccessUpdatevalue data to
0. After setting Last Access time update, system has to be restarted for the change to take effect. Alternatively, run the following command with administrator rights:
C:\>fsutil behavior set disablelastaccess 0
[2]
For every file on an NTFS volume, there are the following dates:
File Created
File Accessed
File Modified
MTF last written
Each of these dates are explained below:
File Created: This is the date the file was “created” on the volume. This does not change when working normally with a file, e.g. opening, closing, saving, or modifying the file.
File Accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by Anti-virus scanners, or Windows system processes. Therefore caution has to be used when stating
a “file was last accessed by user XXX” if there is only the “File Access” date in NTFS to work from.
File Modified: This date as shown by Windows there has been a change to the file itself. E.g a notepad document is has more date added to it, would trip the date it was modified.
MFT Entry Modified: A basic understanding of NTFS and the
MFT is required for this section. This is date not shown by Windows Explorer or the average windows interace, but requires forensic tools , e.g EnCase, FTK, iLook, WinHex, etc. This date shows when the MFT entry, which points to the file of concern, was
changed. This means that if the record that points to the file is changed, then this date would trip. As all the dates, file name, file sizes are stored in the MFT, if any of those are changed then the date will change. For example, if the file size changes
then the MFT Entry modified date is changed. If the file name is changed, than the MFT entry modified is changed.
There are another 4 dates in NTFS within the MFT, these will be covered later.
EnCase Date Formats:
Encase reports these dates in the following manner
File Created = EnCase “File Created”
File Accessed = EnCase “Last Accessed”
File Modified = Encase “Last Written”
MTF last written = Encase “Entry Modified”
相关文章推荐
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- 【原创】Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- Linux系统文件有三个主要的时间属性,分别是ctime(change time), atime(access time), mtime(modify time)
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- Linux下文件系统的三个主要时间属性atime、ctime、mtime
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- Windows的本地时间(LocalTime)、系统时间(SystemTime)、格林威治时间(UTC-Time)、文件时间(FileTime)之间的转换
- 读取系统本地文件的三个时间
- linux下文件的access time 、change time、modify time三个时间点
- linux下文件的三个时间(Atime ,Mtime,Ctime)
- How to know windows last boot time? -如何知道Windows系统上次启动时间?
- python 获取文件创建日期、修改日期 Get created & modified time of a file
- linux下文件的三个时间 atime,ctime,mtime及其如何改变
- 如何利用C++的time头文件获取系统时间
- Linux文件和目录的操作(十二) 三个时间 atime mtime ctime
- Linux下文件的三个时间(Atime,Mtime,Ctime)
- Linux和Windows生成系统时间命名的文件