What are the four NTFS file time attributes and why is MFTChangeTime important in forensics?
The four NTFS time attributes are CreateTime, AccessTime, LastWriteTime, and MFTChangeTime. MFTChangeTime is critical for forensics because it records changes to the Master File Table entry; if an attacker modifies other timestamps without updating MFTChangeTime, an inconsistency (MFTChangeTime being newer) reveals tampering.
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format
NTFSMFTChangeTimeforensicstimestampstampering