/MAC Times and file deletion

MAC Times and file deletion

A lot of times during investigations you get the question “when was this file deleted?”. And most of the times, there is no exact answer. In the forensic community, there is a lot of debate about if you can say something about the deletion date and time of a file using the MAC times. The short answer is no, you can’t.

The long answer is a bit more complicated. The MAC times on a Windows machine contain the following information:

  • Modified time: The last time the contents of the file were modified.
  • Access time: The last time the file was opened for reading.
  • Creation time: The time when this file was created.

None of these records hold information about when the file was deleted. This makes sense. When you delete a file, you want it gone as soon as possible. There is no need to update a record saying “this file was deleted on X” since Windows has no way of reading this information or retrieving the file after it was deleted. You always will have to use 3rd party tools in order to restore deleted data.

How is it that some people argue that the MAC times contain the date of deletion? This has to do with the Modified time. When you delete a file in windows, it normally ends up in the recycle bin. When doing so, the file is moved to a special directory on the drive called “$Recycle.Bin“. During this move, the file is modified and this is what causes the modified time to be changed. So the modified time might contain the date and time when the file was moved to the recycle bin. It does not, however, contain the date and time of when the file was actually deleted from the system.

When you delete the file, bypassing the recycle bin (e.g. shift+delete) the modified time will not change. When you are investigating a case, and you encounter a deleted file. You cannot assume that the modified time is the same time as when the file was deleted. The MAC times are not a reliable way to determine when a file was deleted.