Fundamental Timestamps

Files within NTFS contain several timestamps that record crucial metadata about their history and usage. Understanding these timestamps, their meaning, and their reliability is fundamental for accurate analysis during screenshares. The most commonly referenced set is known by the acronym MACB:

• (M) Modified: This timestamp precisely indicates the last time the content of the file itself was altered. Actions like saving changes within a document, editing image data, recompiling code within an executable, or appending data to a log file will update the Modified time.

• (A) Access: This timestamp theoretically records the last time the file was accessed – which could mean being opened for reading, written to, or executed. However, in the context of screensharing, this timestamp is considered unreliable as definitive proof of direct user interaction or execution. Numerous background system processes, indexing services (like Windows Search), antivirus scanners, compatibility assistants, and even simply navigating folders in Explorer can trigger updates to the Access time without the user actively opening or running the file. Relying on the Access time to prove a cheat was executed by the player can easily lead to false positives and incorrect conclusions. Its evidentiary value is often minimal in isolation.

• (C) Changed: This timestamp reflects the last time the file's metadata was altered within the Master File Table ($MFT) entry. This includes changes to file attributes (like Read-Only, Hidden), security permissions (ACLs), renaming the file, or moving the file within the same volume. Note that modifying the file's content (which updates the Modified time) does not necessarily update the Changed time unless metadata is also altered simultaneously.

• (B) Birth: This timestamp marks the exact moment the file was created on the specific file system volume (e.g., the C: drive, a USB drive). It's crucial to understand that copying a file from one location to another (even on the same volume, but especially to a different volume) results in the copied file receiving a new Birth time corresponding to the moment the copy operation completed at the destination. Moving a file within the same volume typically preserves the original Birth time but updates the Changed time.

Accurate interpretation demands acknowledging the nuances of each timestamp, especially the general unreliability of the Access time for proving deliberate user actions in typical screenshare scenarios. Corroboration with other artifacts is almost always necessary.