/MAC Times and file wiping

MAC Times and file wiping

My article regarding MAC Times and file deletion generated some feedback. Some people contacted me regarding this article and shared some experiences with me of cases where they were able to retrieve a deletion timestamp from the MAC times. The key factor in these cases was the fact that these files were deleted with a file wiping tool.

Like I explained last week, the MAC times contain the Modified, Access and Creation time. When a file is moved to the recycle bin, the modified time is updated. In this case, the modified time will only indicate when the file was moved to the recycle bin, not when it was actually deleted. One could argue that a file was accidentally moved to the recycle bin and that the user didn’t actually delete the files. When someone asks you when a file was deleted, it is important to know that the modified time will not indicate when the file was actually removed from the system. If the user skipped the recycle bin (shift+delete) the modified time will not be updated and will have no relation whatsoever with the deletion time.

However, if someone uses a tool to wipe the file from the system, it is possible the modified time does match the deletion time. Some tools replace the contents of a file with zeroes or random data before deleting the file causing the modified time to be updated. If you encounter a deleted file that appears to have been wiped, the modified time might indicate the time the file was deleted. However, without any additional proof, you can’t be certain. The MAC times are an unreliable way to determine when a file was deleted.