What are the four time attributes in the NTFS file system, and why is MFTChangeTime particularly important for forensics?

The four NTFS time attributes are CreateTime, AccessTime, LastWriteTime, and MFTChangeTime. MFTChangeTime records when the Master File Table entry was last modified. In forensics, if MFTChangeTime is later than the other three timestamps, it often indicates unauthorized modification—a key sign of an attacker tampering with files. Tools like SetMace can help examine this attribute. For more on related forensic techniques, see our article on Penetration Techniques - Time Attributes of NTFS Files in Windows.