Why does releasing a new file on a target system alter the parent directory's time attributes, and how can investigators detect such activity?
Creating, deleting, or renaming a file changes the parent directory's AccessTime, LastWriteTime, and MFTChangeTime. Investigators can use tools like SetMace to examine these attributes; if the directory's MFTChangeTime is later than the other timestamps without a legitimate reason, it may indicate file deployment by an attacker.
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Zimbra SOAP API Development Guide
- Unauthorized file copying via COM component IFileOperation
- Setting Up ADAudit Plus Vulnerability Debugging Environment
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Zimbra SOAP API Development Guide
- Unauthorized file copying via COM component IFileOperation
- Setting Up ADAudit Plus Vulnerability Debugging Environment
parent directory timestampsSetMacefile deploymentintrusion detectionNTFS