MAC times

MAC times are pieces of file system metadata which record when certain events pertaining to a computer file occurred most recently. The events are usually described as "modification" (the data in the file was modified), "access" (some part of the file was read), and "metadata change" (the file's permissions or ownership were modified), although the acronym is derived from the "mtime", "atime", and "ctime" structures maintained by Unix file systems. Windows file systems do not update ctime when a file's metadata is changed^{[citation needed]}, instead using the field to record the time when a file was first created, known as "creation time" or "birth time". Some other systems also record birth times for files, but there is no standard name for this metadata; ZFS, for example, stores birth time in a field called "crtime". MAC times are commonly used in computer forensics.^[1]^[2] The name Mactime was originally coined by Dan Farmer, who wrote a tool with the same name.^[3]

^ Luque, Mark E. (2002). "Logical Level Analyses of Linux Systems". In Casey, E. (ed.). Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 182–183. ISBN 0-12-163103-6.
^ Sheldon (2002). "Forensic Analyses of Windows Systems". In Casey, E. (ed.). Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 134–135. ISBN 0-12-163103-6.
^ Dan Farmer (October 1, 2000). "What Are MACtimes?". Dr Dobb's Journal.

[1] Luque, Mark E. (2002). "Logical Level Analyses of Linux Systems". In Casey, E. (ed.). Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 182–183. ISBN 0-12-163103-6.

[2] Sheldon (2002). "Forensic Analyses of Windows Systems". In Casey, E. (ed.). Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press. pp. 134–135. ISBN 0-12-163103-6.

[3] Dan Farmer (October 1, 2000). "What Are MACtimes?". Dr Dobb's Journal.

[1]

[2]

[3]