From ForensicsWiki
Revision as of 17:07, 14 December 2011 by Athulin (Talk | contribs)

Jump to: navigation, search

This article references "MACE" values which I've never heard of. Now, humbly, that doesn't mean a whole lot ;) but I was curious if the author of this page meant to write MAC values instead. Thoughts? AEI Forensics

I'm a n00b ;) I just remembered what the E stands for (the Master File Table Entry Modified time stamp of the file). Do we have a page on here for a proper explanation of the MACE acronym? AEI Forensics
We don't have an article on timestamps per se, but I think it would make a great addition to the NTFS page. Can you help us write it? I've made start. Jessek

Delete Timestamps?

The article text says something about TimeStomp being able to delete timestamps. That must surely be nonsense.

A timestamp (FILETIME) is just a number from 0 up to some maximum. It can be overwritten, it can be zeroed out, but it cannot be deleted. The timestamp 0 or 1 is as valid as any other timestamp.

There are some utility libraries that cannot convert such timestamps to 'strings', and instead produce something like 'Illegal time', or just an empty string, but that is due to bugs in that particular software, and should not be assumed to be anything else.Athulin 09:07, 14 December 2011 (PST)