File dates and times

File dates and times

Dates and times can be altered to blend malware into its surroundings. Malware may change its dates and times so that it will appear consistent with the dates and times of other (legitimate) files within a given directory or directories.

Note dates and times relating to a file is metadata stored on the file system it resides. Dates and times relating to a file can also be identified within certain file types, such as an MS Office file or an executable file for example.

The dates and times available to a Windows user from the NT File System are called:

• Date Created

• Date Last Written

• Date Last Accessed

Top Tip: Any file with an identical creation date and time (including identical microseconds) should be treated as suspicious until it can be verified.

Other dates and times available to a user from differing file types include:

• Date Acquired

• Date Archived

• Date Completed

• Date Last Saved

• Date Received

• Date Released

• Date Sent

• Date Taken

• Date Visited

File dates and times are taken from the computer clock that processed the file. Remember file dates and in particular file times are relative and care should be taken when interpreting relevance.

Additional information…

The NT File System actually stores 8 metadata fields relating to dates and times for a given file with only 3 of these fields (as detailed above) being made available to a user via the operating system.

Interestingly the last accessed date and time has been disabled in Windows since the introduction of Windows Vista and that was officially introduced in November 2006!