The Truth About Windows Explorer Timestamps

Welcome to 13 Cubed. In this episode, we're going to talk about one of the most confusing topics in Windows Forensics. I can think of several that come to mind, but this topic is the one that I'm most frequently asked about in YouTube videos and in the official 13cubed training course, Investigating Windows Endpoints. By the way, this episode is sponsored by the official 13cubed training courses. So, check them out today at training. 13cubed. com. We cover Windows, Linux, and Mac OS, so all of the major operating systems. And these courses are extremely comprehensive, include plenty of hands-on practice, include a certification attempt at no additional cost, and a full year of access. 13cubed. com. Okay, back to the episode. We're going to be talking about timestamps, but not just any timestamps. Specifically, we're going to be talking about those displayed to us within Windows Explorer. So, if I go into the desktop, as you can see here, and then click on the 13 cubed folder, which is on the desktop, you're going to notice that we have eight files

here. Now, let's start with a quick recap of the things that we should already be familiar with at this point. We know that by default, Windows Explorer is going to show us the date modified timestamp. That's the M in MacB represents the four flavors of timestamps that are available to us within Windows. We've got modification or M, access or A, MFTt record change, which is a metadata change, and that's C. And then finally, we have birth or creation, which is B. So that's M A CB, which we typically refer to as MAC B. Now, there are certainly a lot more than just four timestamps, but those are the four flavors of timestamps that get stored within various structures within Windows NTFS. the file system in use in modern versions of Windows. Okay, so that should be no new information to you unless you're completely new to forensics, in which case, welcome. Now, we also know that we can turn on the A or access time and the B, which is birth or creation time. We know that we cannot see the C timestamp. That's a behind-the-scenes metadata change timestamp and something that's not shown to us within Windows Explorer. So, we can see three of those four flavors of timestamps within Windows Explorer. Okay, we also know that the dollar standard_information timestamps are the timestamps that are exposed to the Windows API. Remember within the MFT, every file and directory has an MFT file record and every one of those file records has a set of dollar standard_information timestamps. So those four MACV timestamps are stored within that structure. Now, of course, we also know that there's another set of timestamps called dollar file_ame and possibly two sets of those if we have a long file name in play because again, we have one set for the long file name and 8. 3 compatible short name. So, that's up to 12 timestamps that can be stored within dollar standard_information and dollar file_ame within each file or directories MFT file record. So far so good. Now, we've been taught forever that those standard information timestamps are the ones exposed to the Windows API and most forensic material states that the information that you're seeing here within Windows Explorer is taken from dollar standard information. But that's not technically correct. Let's talk about why. If we assume that's the way it worked, then let's think through the process of what Windows would need to do to obtain these timestamps. We'll start with the file anatomy of an NTFS file record which is right here. So let's say that the Windows operating system needs to get the timestamp for that file to display to us. And if it did work by obtaining the standard information timestamp, that would mean that the operating system is going to have to access the master file table or MFT, iterate through it to find the MFT file record that represents this file, open it, then find the dollar standard_information timestamps, and then yink out the M timestamp from that particular MFT file record. Then we would move to the next file impact exec commands cheat sheet and we would start the process over again. Meaning the operating system would need to iterate through the entire MFT find the MFT file record for this file find the dollar standard_information set of timestamps and once again yoink out the M timestamp and then we move to the next file and the next and so on until we've covered all of the files in this particular folder or directory. Now, if it did work like that, which it does not, that would be extremely inefficient. Instead, these timestamps are actually being taken from the dollar I30. Now, you may be familiar with dollar i30. If you're not, we have a comprehensive 13cubed episode, albeit a bit older, that does cover that particular artifact. I'm actually going

to go off on a side quest here and recap dollar i30 for you. and then we'll talk about why the dollar i30 is actually what's used to provide these specific timestamps. First off, you should know that the dollar i30 is not an actual file that you can go look at and see. They are exposed if you open up something like ftk imager, but it's not really something that exists. It's more of a virtual construct that's a combination of three different things. And those three things are dollar bitmap, dollar index_root, and in some cases dollar index allocation. So really those three things together make up what we call dollar i30. Dollar bit mapap is just simply a bit map within that particular structure that indicates whether a record is in use or not in use. Dollar index root is always going to be present in a directories MFT entry. This is going to store the index of file names when the directory is small enough to fit directly inside the MFTt record. Usually, we have a few hundred bytes of space available. The index entries here follow the dollar i30 format, meaning that each entry contains file name metadata, including the file name, the file size, timestamps, and a file reference. Now, if the directory is small, meaning it only contains a few files, everything is going to be contained within dollarindex root. But we can have a situation in which we have dollar index underscore allocation. This particular attribute is created when the directory grows too large to fit within dollar index root. This is going to store additional index records in clusters outside of the MFTt, but it's still linked to the dollar i30 structure. These index records are divided into index blocks, typically 4k each. And each block starts with an INDX header together with dollar bitmap which is again used to track those used and unused records. Dollar index allocation supports very large directories. So again the combination of these three things together is what we typically refer to as dollar i30. Okay. So that's

all well and good and that's a nice refresher. But why would Windows Explorer obtain the file names here? Well, you may remember that dollar i30 is going to store dollar file_name timestamps, but we already said that dollar standard information are the timestamps exposed to the Windows API. So why would dollar file_ame timestamps be used in this case? Well, you should first know that those dollar file_name timestamps within the dollar i30 are almost always aligned with dollar standard underscore information. So they should match in almost every case. And in this case, I can tell you that they do match. Now, the reason why the timestamps are pulled from dollar i30 is just because of efficiency. Instead of having to iterate through the entire MFT looking for the MFT file records for these eight files, we can go directly to the dollar i30 and pull out the timestamps specifically for the files in this specific folder or directory. That is far more efficient than iterating through the entire MFTt. And that's why Windows Explorer is showing the timestamps from this structure. Now, I realize that seems a bit hard to believe in some cases, but if you'll check the description below, you'll find a link to an article at dfir. r that explains this in great detail. So, there you have it. Now you know that the Windows Explorer timestamps are not technically standard information timestamps and are instead pulled from the dollar i30 for this specific folder or directory. I hope you found this information useful and as always, thanks for watching, thanks for subscribing, and I'll see you in the next 13 cubed