22:
119:
A file's access time identifies when the file was most recently opened for reading. Access times are usually updated even if only a small portion of a large file is examined. A running program can maintain a file as "open" for some time, so the time at which a file was opened may differ from the time
212:
Some programs, in an attempt to avoid losing data if a write operation is interrupted, avoid modifying existing files. Instead, the updated data is written to a new file, and the new file is moved to overwrite the original. This practice loses the original file metadata unless the program explicitly
208:
As with all file system metadata, user expectations about MAC times can be violated by programs which are not metadata-aware. Some file-copying utilities will explicitly set MAC times of the new copy to match those of the original file, while programs that simply create a new file, read the contents
199:
The semantics of creation times is the source of some controversy. One view is that creation times should refer to the actual content of a file: e.g. for a digital photo the creation time would note when the photo was taken or first stored on a computer. A different approach is for creation times to
110:
A file's modification time describes when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in that location, the modification time
88:
occurred most recently. The events are usually described as "modification" (the data in the file was modified), "access" (some part of the file was read), and "metadata change" (the file's permissions or ownership were modified), although the acronym is derived from the "mtime", "atime", and "ctime"
93:
file systems. Windows file systems do not update ctime when a file's metadata is changed, instead using the field to record the time when a file was first created, known as "creation time" or "birth time". Some other systems also record birth times for files, but there is no standard name for this
123:
Because some computer configurations are much faster at reading data than at writing it, updating access times after every read operation can be very expensive. Some systems mitigate this cost by storing access times at a coarser granularity than other times; by rounding access times only to the
124:
nearest hour or day, a file which is read repeatedly in a short time frame will only need its access time updated once. In
Windows, this is addressed by waiting for up to an hour to flush updated access dates to the disk.
172:
This difference in usage can lead to incorrect presentation of time metadata when a file created on a
Windows system is accessed on a Unix system and vice versa. Although not specified by
346:
200:
stand for when the file system object itself was created, e.g. when the photo file was last restored from a backup or moved from one disk to another.
280:
255:
61:
209:
of the original, and write that data into the new copy, will produce new files whose times do not match those of the original.
434:
43:
32:
439:
213:
copies the metadata from the original file. Windows is not affected by this due to a workaround feature called
304:
379:
226:
99:
276:
251:
150:
maintain the historical interpretation of ctime as being the time when certain file metadata,
154:, were last changed, such as the file's permissions or owner (e.g. 'This file's metadata was
102:. The name Mactime was originally coined by Dan Farmer, who wrote a tool with the same name.
369:
189:
98:, for example, stores birth time in a field called "crtime". MAC times are commonly used in
332:
414:
318:
39:
246:
Luque, Mark E. (2002). "Logical Level
Analyses of Linux Systems". In Casey, E. (ed.).
428:
383:
132:
85:
164:
use ctime to mean 'creation time' (also called 'birth time') (e.g. 'This file was
127:
Some systems also provide options to disable access time updating altogether. In
397:
374:
361:
78:
296:
362:"A systematic approach to understanding MACB timestamps on Unix-like systems"
271:
Sheldon (2002). "Forensic
Analyses of Windows Systems". In Casey, E. (ed.).
347:"Disabling Last Access Time in Windows Vista to improve NTFS performance"
81:
273:
Handbook of
Computer Crime Investigation: Forensic Tools and Technology
248:
Handbook of
Computer Crime Investigation: Forensic Tools and Technology
128:
418:
111:
will be updated even though the contents did not technically change.
300:
181:
173:
193:
177:
90:
185:
95:
15:
143:
Unix and
Windows file systems interpret 'ctime' differently:
398:"Windows NT Contains File System Tunneling Capabilities"
366:
Forensic
Science International: Digital Investigation
42:. Please help to ensure that disputed statements are
135:, file access time updating is disabled by default.
196:stores both the creation time and the change time.
84:which record when certain events pertaining to a
360:Thierry, Aurélien; Müller, Tilo (April 2022).
8:
415:Discussion about Windows and Unix timestamps
275:. London: Academic Press. pp. 134–135.
250:. London: Academic Press. pp. 182–183.
120:data was most recently read from the file.
373:
176:, most modern Unix file systems (such as
62:Learn how and when to remove this message
38:Relevant discussion may be found on the
238:
139:Change time and creation time (ctime)
7:
192:) allow to store the creation time.
14:
349:. The Storage Team at Microsoft.
20:
1:
375:10.1016/j.fsidi.2022.301338
456:
368:. 40, Supplement: 301338.
335:. Microsoft MSDN Library.
321:. Microsoft MSDN Library.
106:Modification time (mtime)
89:structures maintained by
168:on 05/05/02 12:15pm').
158:on 05/05/02 12:15pm').
435:Computer file systems
215:File System Tunneling
400:. Microsoft Support.
301:"What Are MACtimes?"
31:factual accuracy is
299:(October 1, 2000).
115:Access time (atime)
440:Computer forensics
227:Computer forensics
100:computer forensics
305:Dr Dobb's Journal
72:
71:
64:
447:
402:
401:
394:
388:
387:
377:
357:
351:
350:
343:
337:
336:
329:
323:
322:
315:
309:
308:
293:
287:
286:
268:
262:
261:
243:
152:not its contents
131:, starting with
67:
60:
56:
53:
47:
44:reliably sourced
24:
23:
16:
455:
454:
450:
449:
448:
446:
445:
444:
425:
424:
411:
406:
405:
396:
395:
391:
359:
358:
354:
345:
344:
340:
331:
330:
326:
317:
316:
312:
295:
294:
290:
283:
270:
269:
265:
258:
245:
244:
240:
235:
223:
206:
204:Metadata issues
162:Windows systems
141:
117:
108:
68:
57:
51:
48:
37:
29:This article's
25:
21:
12:
11:
5:
453:
451:
443:
442:
437:
427:
426:
423:
422:
419:Cygwin project
410:
409:External links
407:
404:
403:
389:
352:
338:
324:
310:
288:
281:
263:
256:
237:
236:
234:
231:
230:
229:
222:
219:
205:
202:
170:
169:
159:
140:
137:
116:
113:
107:
104:
77:are pieces of
70:
69:
28:
26:
19:
13:
10:
9:
6:
4:
3:
2:
452:
441:
438:
436:
433:
432:
430:
421:mailing list)
420:
416:
413:
412:
408:
399:
393:
390:
385:
381:
376:
371:
367:
363:
356:
353:
348:
342:
339:
334:
328:
325:
320:
314:
311:
306:
302:
298:
292:
289:
284:
282:0-12-163103-6
278:
274:
267:
264:
259:
257:0-12-163103-6
253:
249:
242:
239:
232:
228:
225:
224:
220:
218:
216:
210:
203:
201:
197:
195:
191:
187:
183:
179:
175:
167:
163:
160:
157:
153:
149:
146:
145:
144:
138:
136:
134:
130:
125:
121:
114:
112:
105:
103:
101:
97:
92:
87:
86:computer file
83:
80:
76:
66:
63:
55:
45:
41:
35:
34:
27:
18:
17:
392:
365:
355:
341:
333:"File Times"
327:
319:"File Times"
313:
291:
272:
266:
247:
241:
214:
211:
207:
198:
171:
165:
161:
155:
151:
148:Unix systems
147:
142:
126:
122:
118:
109:
74:
73:
58:
49:
30:
79:file system
429:Categories
297:Dan Farmer
233:References
94:metadata;
384:247735761
75:MAC times
52:June 2012
40:talk page
221:See also
82:metadata
33:disputed
166:created
156:changed
129:Windows
382:
279:
254:
188:, and
380:S2CID
174:POSIX
133:Vista
277:ISBN
252:ISBN
194:NTFS
190:UFS2
182:HFS+
178:ext4
91:Unix
370:doi
186:ZFS
96:ZFS
431::
378:.
364:.
303:.
217:.
184:,
180:,
417:(
386:.
372::
307:.
285:.
260:.
65:)
59:(
54:)
50:(
46:.
36:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.