Timestamp Analysis in Windows OS File Systems
Kangas, Marko (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025111027458
https://urn.fi/URN:NBN:fi:amk-2025111027458
Tiivistelmä
Purpose of this thesis was to examine file system structures and timestamp management practices of three common Windows OS file systems: FAT, exFAT, and NTFS. Purpose was to examine their unique characteristics and implications for forensic analysis. FAT is simplest file system and offers fundamental timestamping capabilities with limited precision. ExFAT introduced enhancements for flash-based storage and little improvement for time metadata. NTFS holds comprehensive metadata and multiple timestamp records and it is the most advanced file system and default in Windows OS.
Timestamps located within file systems are fundamental to digital forensic investigations, offering a possibility to investigate file related events such as creation, modification, and access. This metadata information enables forensic analysts to reconstruct user actions and system behaviours over time. However, the precision and reliability of timestamp data vary significantly across file systems, because as each handles metadata differently.
Through an analysis of technical documentation, published research, and forensic literature, this thesis clarifies the behaviours of each file system in response to standard file actions and explores the forensic implications of their timestamp handling. The goal was to provide a deeper understanding of timestamp metadata, how file systems in Windows OS work and should be considered when conducting forensic analysis.
Timestamps located within file systems are fundamental to digital forensic investigations, offering a possibility to investigate file related events such as creation, modification, and access. This metadata information enables forensic analysts to reconstruct user actions and system behaviours over time. However, the precision and reliability of timestamp data vary significantly across file systems, because as each handles metadata differently.
Through an analysis of technical documentation, published research, and forensic literature, this thesis clarifies the behaviours of each file system in response to standard file actions and explores the forensic implications of their timestamp handling. The goal was to provide a deeper understanding of timestamp metadata, how file systems in Windows OS work and should be considered when conducting forensic analysis.