NTFS, the current Windows file system stores several different dates and times for every file, and more than most think. With 8 dates stored in the NTFS file entry for every file.
There are in fact four dates, not three, that are easily accessible to the forensic investigator, and 4 more that are also accessible, but require slightly more effort
NOTE: The initial naming convention used here is not the same as used in EnCase or FTK, this is for ease of reference for those reading without forensic background. However, the correct names for the dates are explained at the end of this article.
For every file on an NTFS volume, there are the following dates:
- File Created
- File Accessed
- File Modified
- MTF last written
Each of these dates are explained below:
File Created: This is the date the file was “created” on the volume. This does not change when working normally with a file, e.g. opening, closing, saving, or modifying the file.
File Accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by Anti-virus scanners, or Windows system processes. Therefore caution has to be used when stating a “file was last accessed by user XXX” if there is only the “File Access” date in NTFS to work from.
File Modified: This date as shown by Windows there has been a change to the file itself. E.g a notepad document is has more date added to it, would trip the date it was modified.
MFT Entry Modified: A basic understanding of NTFS and the MFT is required for this section. This is date not shown by Windows Explorer or the average windows interace, but requires forensic tools , e.g EnCase, FTK, iLook, WinHex, etc. This date shows when the MFT entry, which points to the file of concern, was changed. This means that if the record that points to the file is changed, then this date would trip. As all the dates, file name, file sizes are stored in the MFT, if any of those are changed then the date will change. For example, if the file size changes then the MFT Entry modified date is changed. If the file name is changed, than the MFT entry modified is changed.
There are another 4 dates in NTFS within the MFT, these will be covered later.
EnCase Date Formats:
Encase reports these dates in the following manner
- File Created = EnCase “File Created”
- File Accessed = EnCase “Last Accessed”
- File Modified = Encase “Last Written”
- MTF last written = Encase “Entry Modified”
Where is Your Data? 
March 31, 2009 at 4:14 pm
[…] formatted hard drive has an entry in the MFT, including the MFT itself. Because of this the MFT has created, modified, last written, and entry modified dates associated with […]
April 2, 2009 at 11:54 am
[…] always going to important. Every file on a modern Windows system has numerous dates, from the Created, Modified, Last Written, and Entry Modified dates in the NTFS, to the dates in Link file, registry entries, and […]
April 10, 2009 at 2:09 pm
[…] mean in EnCase? Posted on April 10, 2009 by Rob EnCase can display a variety of dates, including created, written, and accessed, one date which often causes confusion for computer forensics examiner is “Entry […]
July 18, 2012 at 2:28 pm
I have a file where the date created and date modified date are identical, what does this mean? e.g. does it mean that the person wrote the document and then saved it at the same time?
December 8, 2014 at 2:19 pm
what is the method of write a file in ntfs????
June 4, 2016 at 2:00 pm
Awesome! Its really remarkable paragraph, I have got much clear idea concerning
from this article.
November 24, 2016 at 2:30 am
[…] Dikenal istilah CMA, Creation Time, Modified Time dan Accessed Time. Penjelasannya bisa dilihat disini. […]
October 26, 2017 at 4:39 pm
Did not help me at all
August 21, 2018 at 6:42 pm
Neither did this 🙂
January 19, 2018 at 10:27 am
Hi there
Can I just ask then that recently I uploaded photos and vids from I phone to laptop and on recent ones the original taken date isn’t showing? Only different dates that seem to be the date I uploaded them? Can the original taken date be viewed at all? Older ones previously put on laptop show exact date taken and when uploaded. I’m confused!!
August 21, 2018 at 6:41 pm
Dates will depend on how you moved them, e.g did you copy them, move them via the cloud, etc. Dates from photos will often be in the actual photo, which will be metadata. This could include GPS information, date, time, flash used, etc.