|This article's factual accuracy is disputed. (June 2012)|
MAC times are pieces of file system metadata which record when certain events pertaining to a computer file occurred most recently. The events are usually described as "modification" (the data in the file was modified), "access" (some part of the file was read), and "metadata change" (the file's permissions or ownership were modified), although the acronym is derived from the "mtime", "atime", and "ctime" structures maintained by Unix file systems. Windows file systems do not update ctime when a file's metadata is changed, instead using the field to record the time when a file was first created, known as "creation time" or "birth time". Some other systems also record birth times for files, but there is no standard name for this metadata; ZFS, for example, stores birth time in a field called "crtime". MAC times are commonly used in computer forensics. The name Mactime was originally coined by Dan Farmer, who wrote a tool with the same name.
Modification time (mtime)
A file's modification time describes when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in that location, the modification time will be updated even though the contents did not technically change.
Access time (atime)
A file's access time identifies when the file was most recently opened for reading. A running program can maintain a file as "open" for some time, so the time at which a file was opened may differ from the time data was most recently read from the file.
Access times are usually updated even if only a small portion of a large file is examined.
Because some computer configurations are much faster at reading data than at writing it, updating access times after every read operation can be very expensive. Some systems mitigate this cost by storing access times at a coarser granularity than other times; by rounding access times only to the nearest hour or day, a file which is read repeatedly in a short time frame will only need its access time updated once. Some systems also provide options to disable access time updating altogether.
Microsoft turned off Access Times starting in Vista. A user can turn them on but MS found it slowed down programs. Access Times are not reliable for this reason. Special note for Law Enforcement.
Change time and creation time (ctime)
Unix and Windows file systems interpret 'ctime' differently:
- Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This file's metadata was changed on 05/05/02 12:15pm').
- Windows systems use ctime to mean 'creation time' (also called 'birth time') (e.g. 'This file was created on 05/05/02 12:15pm').
This difference in usage can lead to incorrect presentation of time metadata when a file created on a Windows system is accessed on a Unix system and vice versa. Most Unix file systems don't store the creation time, although some, such as HFS+, ZFS, and UFS2 do. NTFS stores both the creation time and the change time.
The semantics of creation times is the source of some controversy. One view is that creation times should refer to the actual content of a file: e.g. for a digital photo the creation time would note when the photo was taken or first stored on a computer. A different approach is for creation times to stand for when the file system object itself was created, e.g. when the photo file was last restored from a backup or moved from one disk to another.
As with all file system metadata, user expectations about MAC times can be violated by programs which are not metadata-aware. Some file-copying utilities will explicitly set MAC times of the new copy to match those of the original file. Programs which simply create a new file, read the contents of the original, and write that data into the new copy, will produce new files whose ctimes do not match those of the original.
Some programs, in an attempt to avoid losing data if a write operation is interrupted, avoid modifying existing files. Instead, the updated data is written to a new file, and the new file is moved to overwrite the original. This practice loses the original file metadata, unless the program explicitly copies the metadata from the original file.
- Luque, Mark E. (2002). "Logical Level Analyses of Linux Systems". In Casey, E. Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 182–183. ISBN 0-12-163103-6.
- Sheldon (2002). "Forensic Analyses of Windows Systems". In Casey, E. Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 134–135. ISBN 0-12-163103-6.
- Dan Farmer (October 1, 2000). "What Are MACtimes?". Dr Dobb's Journal.
- "File Times". Microsoft MSDN Library.