Introduction
File system timestamps are fundamental artifacts in digital forensics investigations, providing crucial metadata about file operations and user activities. Windows 11 has introduced significant changes to NTFS timestamp behavior, particularly affecting the traditional MCAB (Modified, Accessed, Changed, Birth) timestamp patterns that forensic analysts rely upon for timeline reconstruction and evidence analysis.
Understanding MCAB Timestamps
The four primary timestamps in NTFS provide essential forensic artifacts:
- Modified (M): Records when file content was last changed
- Accessed (A): Tracks when the file was last opened or read
- Changed (C): Documents when file metadata was last modified
- Birth (B): Captures the original creation time of the file
These timestamps work together to provide a comprehensive audit trail of file activity within the NTFS file system.
Key Changes in Windows 11
Windows 11 has introduced performance-oriented optimizations that significantly alter timestamp behavior. The most notable change affects the metadata change (C) timestamp, which now updates less frequently in modern Windows systems. This modification represents Microsoft’s effort to reduce unnecessary disk I/O operations while maintaining system performance.
MCAB Analysis: Windows 11 Test Results
The following table presents systematic test results conducted on a Windows 11 system with NTFS file system:
| Time | Action (Windows 11, NTFS) | Modified | Accessed | Change (metadata) | Birth (Creation) |
|---|---|---|---|---|---|
| 10:00 | User creates new document on Desktop | Yes 10:00 | Yes 10:00 | Yes 10:00 | Yes 10:00 |
| 10:05 | User adds more text to document, then saves | Yes 10:05 | No 10:00 | Yes (file size) 10:05 | No 10:00 |
| 10:10 | User moves file to My Documents | No 10:05 | No 10:00 | No* 10:05 | No 10:00 |
| 10:15 | User renames the file | No 10:05 | No 10:00 | No* 10:05 | No 10:00 |
| 10:20 | User copies file to NTFS USB drive | No 10:05 | Yes 10:20 | No* 10:20 | Yes 10:20 |
| 10:25 | User moves file (cut/paste) to USB drive | No 10:05 | Yes 10:25 | No* 10:20 | No 10:00 |
| 10:30 | User makes new copy to another directory | No 10:05 | Yes 10:30 | No* 10:20 | Yes 10:30 |
* Critical Change: The metadata change (C) timestamp behavior has been modified in Windows 11, updating less frequently.
Forensic Analysis of Operations
File Creation
- All four timestamps (MCAB) are synchronized to the current system time
- Establishes the baseline for all subsequent timestamp tracking
- Behavior remains consistent across Windows 10/11
Content Modification
- Modified (M) timestamp: Updates immediately upon content changes and save operations
- Accessed (A) timestamp: May not update due to system optimization settings
- Changed (C) timestamp: Updates when file size or other significant metadata changes
- Birth (B) timestamp: Remains unchanged, preserving original creation time
File System Operations (Move/Rename)
Critical Finding: Windows 11 introduces significant changes:
- Move operations: No longer trigger metadata change (C) timestamp updates
- Rename operations: Similarly avoid updating the change timestamp
- Forensic impact: Traditional timestamp analysis techniques may yield different results
Copy Operations
File copying in Windows 11 follows these patterns:
- Modified (M) timestamp: Inherited from the source file
- Birth (B) timestamp: Set to current time
- Accessed (A) timestamp: Updated to current time
- Changed (C) timestamp: Follows the new Windows 11 optimization rules
Windows Forensics Tools
Windows Artifacts
How NTFS Self-References Its $MFT
Acquiring RAM Through Cooling Methods