In this episode, we'll revisit NTFS MACB timestamps and take a look at how file creations, accesses, modifications, renames, copies, and moves affect them. Then, we'll take a look at how Windows 11 has changed the behavior associated with some of those timestamps.
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
๐ Chapters
00:00 - Intro
02:24 - File Creation
02:54 - File Access and NtfsDisableLastAccessUpdate
05:12 - File Modification
06:18 - File Rename
07:33 - File Copy
09:50 - File Move
12:53 - Correction
14:02 - Timestamp Changes in Windows 11
๐ Resources
Windows MACB Timestamps (NTFS Forensics):
https://www.youtube.com/watch?v=OTea54BelTg
Windows 11 Time Rules:
https://www.khyrenz.com/blog/windows-11-time-rules/
#Windows11 #Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
