No sooner had I posted the last article than I started getting questions, all along the same theme.
“What about NTFS?” They shout.
“I’m working on it,” I replied.
And so I was.
To review, HFS+ has five timestamps:
- Created
- Modified (last written)
- Accessed
- Record Change
- Added Date
NTFS, on the other hand, has eight:
- Created (standard information attribute)
- Last Written (standard information attribute)
- Accessed (standard information attribute)
- Metadata Change (standard information attribute)
- Created (filename attribute)
- Last Written (filename attribute)
- Accessed (filename attribute)
- Metadata Change (filename attribute)
If you want to know how timestamps on NTFS are affected in a Windows environment, SANS has a great chart on their Windows Forensic Analysis poster here: http://dfir.to/GET-FREE-DFIR-POSTER. It is, however, important to know that NTFS is handled differently on MacOS.
NTFS to HFS+
NTFS is natively supported as read-only in MacOS. As such copying items from an NTFS volume to a HFS+ volume is straight forward. Here’s what you can expect to see on the HFS+ volume when copying files:
- Created – Inherited from the original
- Modified – Inherited from the original
- Accessed – Updated to time of copy
- Record Changed – Updated to time of copy
- Added Date – Updated to time of copy
HFS+ to NTFS
In order to make MacOS write to NTFS partitions you have three options, they are detailed here http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/. Note the warning for enabling NTFS and writable using Apple’s own driver.
I’m cheap and lazy so I chose to use the Tuxera NTFS trial for this testing. This is being run with the default options including the “Store extended attributes natively” option. Other methods may change this, but I’m not worrying about that for now.
Once this is up and running copying or moving files from HFS+ to NTFS impacts the timestamps, on the destination, in the following ways:
- Created (standard information attribute) -Inherited from the original
- Last Written (standard information attribute) -Â Inherited from the original
- Accessed (standard information attribute) -Â Updated to time of copy
- Metadata Change (standard information attribute) - Updated to time of copy
- Created (filename attribute) -Â Updated to time of copy
- Last Written (filename attribute) -Â Updated to time of copy
- Accessed (filename attribute) -Â Updated to time of copy
- Metadata Change (filename attribute) - Updated to time of copy
Something important to note here is that the meta-file (those beginning with “._”) are not generated on the NTFS volume when the option for “Store extended attributes natively” is enabled. The extended attributes are stored elsewhere on the NTFS volume.
If you uncheck that option in the Tuxera NTFS settings, the meta-files are created. So, once again, if I copy/move a file from HFS+ to NTFS with this option disabled, the target file’s timestamps are updated as above and the new, companion “._” file is generated with all eight timestamps being updated to the date and time the file was created on that volume.
File Duplication on an NTFS Volume
If a user decided to use the “duplicate” option, in MacOS, to copy a file on an NTFS volume the date and time fields are impacted, for the new file, in the following way:
- Created (standard information attribute) -Inherited from the original
- Last Written (standard information attribute) -Â Inherited from the original
- Accessed (standard information attribute) -Â Updated to time of copy
- Metadata Change (standard information attribute) - Updated to time of copy
- Created (filename attribute) -Â Updated to time of copy
- Last Written (filename attribute) -Â Updated to time of copy
- Accessed (filename attribute) -Â Updated to time of copy
- Metadata Change (filename attribute) - Updated to time of copy
Once again, with the default options, no meta-file is generated. But disable the option for “Store extended attributes natively” and the meta-file is generated with all eight timestamps being updated to when the companion file was duplicated.
So there you go. Now, for anyone asking about Ext2, 3 or 4… go away. Ain’t nobody got time for that.