Cyber Security

What is the significance of the MACE (Modified, Accessed, Created, Entry Modified) structure in File System Forensics?

AN Asked by Andrew Scott · 01-07-2024
0 upvotes 19,136 views 0 comments
The question

In File System Forensics (specifically NTFS), investigators often refer to the MACE structure of a file's metadata. What exactly does each of the four components (M, A, C, E) represent, and why is the Entry Modified (E) time often the most reliable timestamp for tracing user activity in a Digital Forensics investigation, particularly when the file's Modified (M) time might be misleading?

3 answers

0
CH
Answered on 12-07-2024

MACE is an acronym used in File System Forensics (especially NTFS) to summarize the four main file metadata timestamps:

  • M (Modified): The last time the contents of the file were changed.

  • A (Accessed): The last time the file was read or opened (often disabled on modern Windows systems for performance).

  • C (Created): The time the file was created.

  • E (Entry Modified): The last time the file's metadata (like file name, size, permissions, or MACE times themselves) was modified within the directory entry. The Entry Modified (E) time is often considered the most reliable indicator of user activity because it is updated whenever the file is moved, renamed, or copied, or when its contents are modified. The Modified (M) time is misleading because automated processes (like virus scans or backup software) can change file contents without direct user interaction. The E time provides a reliable record of the last structural change made to the file's directory entry, which is highly relevant to establishing the user's interaction with the digital evidence

0
GE
Answered on 20-07-2024

If a malicious user attempts to erase their tracks by running a file wiping utility, how do Digital Forensics tools still manage to recover data? Is it through analyzing the MACE structure, or by leveraging residual data in unallocated space? 

AN 28-07-2024

George, both! A simple file wiping utility usually just changes the MACE times and deletes the file entry in the Master File Table (MFT), marking the space as "unallocated." Digital Forensics tools immediately focus on recovering data from this unallocated space (the raw data blocks). Sometimes, the MACE information itself (particularly the Entry Modified time) is still intact within the MFT entry and can reveal when the deletion or wipe attempt occurred, providing crucial digital evidence even if the contents are gone.

0
SA
Answered on 05-08-2024

MACE (Modified, Accessed, Created, Entry Modified) times are critical metadata points. The Entry Modified (E) time provides the best trail of user activity because it records changes to the file's directory entry (renaming, moving, etc.), which is often more reliable than the Modified (M) time when tracking a user's interaction with digital evidence

CH 11-08-2024

Sarah, and investigators must also remember that the file system maintains two sets of MACE times: one in the directory entry (which the E time modifies) and one in the file record itself. Tools have to be smart enough to correlate both!

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session