MAC times

MAC times

MAC times are pieces of file system metadata that record when a file was last modified, accessed, or changed. The technical titles for these times are "mtime", "atime", and "ctime" respectively. Most Unix file systems follow this de facto standard and only store these three pieces of filetime metadata. A small number of file systems store the time when a file was first created, known as "creation time" or "birth time." However, as it is not part of the de facto standard, no naming convention exists. For example, ZFS uses the title "crtime". Windows file systems, such as FAT32 and NTFS are notable for their reuse of "ctime" to refer to "creation time". MAC times are commonly used in computer forensics.

Modification time (mtime)

A file's modification time described when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in that location, the modification time will be updated even though the contents did not technically change.

Access time (atime)

A file's access time identifies when the file was most recently opened for reading. A running program can maintain a file as "open" for some time, so the time at which a file was opened may differ from the time data was most recently read from the file.

Access times are usually updated even if only a small portion of a large file is examined. Windows explorer is known to open many files when searching for icons to represent those files, and the number of MAC time updates can cause significant performance overhead in Windows systems. [http://www.winguides.com/registry/display.php/50/ Disabling NTFS access time updating] can eliminate this problem.

Change time (ctime) and creation time

Unix and Windows file systems interpret 'ctime' differently:

* Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, "not its contents", were last changed, such as the file's permissions or owner (e.g. 'This files metadata was "changed" on 05/05/02 12:15pm').

* Windows systems are the only systems that use ctime to mean 'creation time' (also called 'birth time') (e.g. 'This file was "created" on 05/05/02 12:15pm').

This difference in usage can lead to incorrect presentation of time metadata when a file created on a Windows system is accessed on a Unix system and vice versa.Fact|date=September 2007 Most Unix file systems don't store the creation time, although some do. NTFS stores both the creation time and the change time.

The semantics of creation times is the source of some controversy. One view is that creation times should refer to the actual content of a file: e.g. for a digital photo the creation time would note when the photo was taken or first stored on a computer. A different approach is for creation times to stand for when the file system object itself was created, e.g. when the photo file was last restored from a backup or moved from one disk to another.

Metadata issues

As with all file system metadata, user expectations about MAC times can be violated by programs which are not metadata-aware. Some file-copying utilities will explicitly set MAC times of the new copy to match those of the original file. Programs which simply create a new file, read the contents of the original, and write that data into the new copy, will produce new files whose ctimes do not match those of the original.

Some programs, in an attempt to avoid losing data if a write operation is interrupted, avoid modifying existing files. Instead, the updated data is written to a new file, and the new file is moved to overwrite the original. This practice also loses the original ctime and creation time metadata.

References

* Casey: Computer Crime Investigation. Luque: Logical Level Analyses of Linux Systems: p 182-183. Sheldon: Forensic Analyses of Windows Systems p 134-135. ISBN 0-12-163103-6.
* http://www.cygwin.com/ml/cygwin/2007-06/msg00436.html

See also

* Computer forensics

External links

* [http://www.hmug.org/man/1/touch.html Manual for a common program to edit a file's timestamps]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • MAC — Saltar a navegación, búsqueda El acrónimo MAC puede referirse a: Macintosh, es el nombre con el que actualmente nos referimos a cualquier ordenador personal diseñado, desarrollado, construido y comercializado por Apple Inc. Proyecto Productivo… …   Wikipedia Español

  • Mac — o MAC puede referirse a: Macintosh, una serie de computadoras de Apple Inc.; McIntosh, una variedad de manzana; Mac, un rapero estadounidense; Mac, una novela de John McLean; Mac, un personaje creado por Cartoon Network que es uno de los… …   Wikipedia Español

  • Times Roman — Category Serif Classification Transitional Designer(s) Victor Lardent Comm …   Wikipedia

  • Mac Suzuki — マック鈴木 Calgary Vipers No. 91 Pitcher …   Wikipedia

  • Mac Hall — Author(s) Ian McConville and Matt Boyd Website http://www.machall.com/ Current status / schedule Completed Launch date November 7, 2000 …   Wikipedia

  • Mac Danzig — Born Mac Danzig January 2, 1980 (1980 01 02) (age 31) Cleveland, Ohio, U.S. Nationality …   Wikipedia

  • Times (Schriftart) — Schriftart Times New Roman Kategorie Serif …   Deutsch Wikipedia

  • Mac O'Grady — (born April 26, 1951) born Phil McGleno, aka Phillip McClelland O Grady is an American professional golfer and golf teaching professional who played on the PGA Tour in the 1970s and 1980s, known mainly for his eccentric behavior [… …   Wikipedia

  • Mac OS X — Parte de la familia BSD[1] [2] [3] …   Wikipedia Español

  • Mac OSX — Mac OS X Mac OS X Famille BSD Type de noyau …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”