Why does overwriting a file change all four NTFS time attributes, and how can this help a forensic investigator?

When a file is overwritten, the NTFS file system updates CreateTime, AccessTime, LastWriteTime, and MFTChangeTime to reflect the new content. A forensic investigator can detect this by comparing timestamps—if MFTChangeTime differs significantly from the others, especially if it is newer, it suggests tampering. Additionally, examining the MFT records for inconsistencies ($STANDARD_INFORMATION vs. $FILE_NAME) can reveal hidden operations. For related techniques, see our articles on Penetration Techniques - File Recovery and Deletion in Windows Systems and Penetration Techniques - USN Journal of NTFS Files in Windows.