MACB Timestamps

MACB stands for Modified, Accessed, Changed, and Birth (sometimes Creation).
- M (Modified): When the file content was last modified.
- A (Accessed): When the file was last read.
- C (Changed): When the file's metadata (like permissions, name, or MFT record) was last changed. On NTFS this is often referred to as “MFT record changed.”
- B (Birth): The file creation time (when the file was first created).
On some file systems (especially Unix-like ones), only MAC (no “B”) are available.

In NTFS, MACB times are stored in at least two attributes of an MFT (Master File Table) record:
1. $STANDARD_INFORMATION attribute
2. $FILE_NAME attribute
Each of these attributes has its own set of MACB timestamps.
Because there are multiple places that store similar timestamps, you can compare them for timestomping detection:
- The $STANDARD_INFORMATION MACB timestamps are more easily modified by regular processes / anti-forensics tools.
- The $FILE_NAME MACB timestamps are much harder to tamper with (because they’re usually modified only by the kernel).

Some rules govern when each of the MACB timestamps will be updated, depending on file operations: creation, copy, rename, move, access, etc.
Important nuance: Access timestamp (A) update is not always reliable or enabled. On NTFS, the registry key NtfsDisableLastAccessUpdate can control whether last access updates happen.
When you move a file on the same NTFS partition, the “Changed” timestamps (C) in both $STANDARD_INFORMATION and $FILE_NAME attributes update to reflect the move.
If you copy a file between NTFS volumes:
- The new file inherits some timestamps (like “Modified” and “Changed”) from the original.
- The “Access” and “Birth” (creation) times may reflect the time of the copy, not the original.

Timeline Analysis: MACB timestamps are very valuable for building forensic timelines — you can see when a file was created, when it was read, when metadata changed, and when content was modified.
Timestomping Detection: Since $STANDARD_INFORMATION is easier to change than $FILE_NAME, comparing the two can reveal potential tampering. For example, if $STANDARD_INFORMATION shows older times than $FILE_NAME, it’s suspicious.
High Precision: On NTFS, timestamps are stored with very high precision (100-nanosecond intervals) as part of the NTFS metadata.
Anti-Forensics Awareness: Attackers may use tools like TimeStomp to modify MACB times. Detecting this often involves checking for inconsistencies, such as mismatched timestamps or abnormal patterns.

Because there are multiple attributes (SI and FN), interpreting MACB timestamps requires care — you need to know which attribute a timestamp came from.
Not all file system operations update all timestamps in straightforward ways — some operations may only change certain MACB fields, depending on the OS and configuration.
The “Access” timestamp (A) may be disabled or not updated frequently, depending on system settings.
High-precision timestamps (nanosecond) can be manipulated more subtly, making anti-forensic timestomping harder to detect.

nTimeTools: A tool that can read (and modify) MACB timestamps with 100-nanosecond precision.
MFTECmd / Other MFT Parsers: Use MFT parsing tools to extract MACB values from both $STANDARD_INFORMATION and $FILE_NAME.
Timeline Correlation: Compare MACB times with other artifacts (e.g., USN Journal, Event Logs) to validate or question file activity / timestomping.

Last updated 1 month ago