E.I. Dukhan – Ph.D.(Eng.), Associate Professor, 

Ural Federal University named after the first President of Russia B.N.Yeltsin (Ekaterinburg)

N.S. Knyazeva – Post-graduate Student, 

Ural Federal University named after the first President of Russia B.N.Yeltsin (Ekaterinburg)

Restoring a sequence of user actions or system events by examining file system metadata is a poorly studied task that many experts are solving. The main file system metadata includes timestamps. File timestamps can be stored in various areas of the file system. Each and every file has timestamps within the file record of the MFT (Master File Table). Some files contain timestamps within their structure. Such timestamps are updated by a certain application software assigned to this very file format. Huge amounts of timestamps are stored in special system files required for the operation of the operating system. Timestamps of the MFT are of our main interest, as this element is the basic structure of the NTFS data file system, crucial for the operation of the file system. Review of the published papers indicate high interest in the analysis of timestamps; however, most authors consider only 3 or 4 timestamps contained in attributes of the MFT. Their observations are limited to a small number of file operations, while the objects under study are represented by the similar files, which prevents the authors from making accurate conclusions when examining the mechanisms of timestamp modification. Thus, it is necessary to develop a methodology for studying the nature of changes in timestamps when performing file operations, since incorrectly performed experiments can lead to incorrect conclusions. In this paper develop a methodology for studying changes in the timestamps of file objects. A methodology has been developed for studying changes in the timestamps of file objects, which describes the steps for preparing file objects, conducting experiments, and recording results. FTA (File Time Analyzer) command let was developed to monitor the creation and update of the file timestamps in NTFS. This software detects and displays twelve timestamps from the MFT for each file object. The observation results obtained allow concluding that there are regularities in the file timestamp changes during operations with them. Many file operations have a unique influence on the nature of timestamp changes. The observation data obtained are generalized in table of change in timestamps for the NTFS and Windows XP, 7, 8 10.

1. Kerrie B. Kriminalisticheskii analiz failovykh sistem. SPb.: Piter. 2007. 480 s. (in Russian)
2. Chow K., Law F., Kwan M., Lai K. The Rules of Time on NTFS File System. Second International Workshop on Systematic Approaches to Digital Forensic Engineering. 2007. URL = i.cs.hku.hk/cisc/forensics/papers/RuleOfTime.pdf (data obrashcheniya: 03.06.2019).
3. Matveeva V.S. Kriminalisticheskii podkhod k analizu vremennykh atributov failov v operatsionnoi sisteme semeistva Microsoft Windows i failovoi sisteme NTFS. Bezopasnost informatsionnykh tekhnologii. 2013. № 1. (in Russian)
4. Minnaard W. Timestomping NTFS. 2014. URL = http://www.delaat.net/rp/2013−2014/p48/report.pdf (03.06.2019).
5. Knutson T. Filesystem Timestamps: What Makes Them Tick? 2016.  URL = https://www.sans.org/reading-room/whitepapers/forensics/filesystem-timestamps-tick-36842 (data obrashcheniya 03.06.2019).
6. NtfsDisableLastAccessUpdate. URL = https://technet.microsoft.com/en-us/library/cc959914.aspx (data obrashcheniya 03.06.2019).
7. Russinovich M., Solomon D., Ionesku A., Iosifovich P. Vnutrennee ustroistvo Windows. Izd. 7-e. SPb.: Piter. 2018. 944 s.
8. https://docs.microsoft.com/en-us/sysinternals/downloads/clockres+ (data obrashcheniya 03.06.2019). (in Russian)