Are windows file creation timestamps reliable?

forensic timestamp analysis
what are two attributes of a timestamp that could be located on a computer system?
mft timestamps
ntfs timestamps
timestamps in digital forensics
windows file timestamp milliseconds
master file table timestamps
created, modified accessed dates explained

I have a program that uses save files. It needs to load the newest save file, but fall back on the next newest if that one is unavailable or corrupted. Can I use the windows file creation timestamp to tell the order of when they were created, or is this unreliable? I am asking because the "changed" timestamps seem unreliable. I can embed the creation time/date in the name if I have to, but it would be easier to use the file system dates if possible.

If you have a directory full of arbitrary and randomly named files and 'time' is the only factor, it may be more pointful to establish a filename that matches the timestamp to eliminate need for using tools to view it.

2008_12_31_24_60_60_1000  

Would be my recommendation for a flatfile system.

Sometimes if you have a lot of files, you may want to group them, ie:

2008/
2008/12/
2008/12/31
2008/12/31/00-12/
2008/12/31/13-24/24_60_60_1000 

or something larger

2008/
2008/12_31/

etc etc etc.

( Moreover, if you're not embedding the time, what is your other distinguishing characteritics, you cant have a null file name, and creating monotonically increasing sequences is way harder ? need info )

What is the accuracy of file creation or modification dates?, File metadata (e.g. creation date, last modified, etc) is generally a matter of to file system, but in general, these timestamps are not 100% reliable. knows how to rebuild windows and don't know what linux is, then the dates  Time stamps are updated at various times and for various reasons. The only guarantee about a file time stamp is that the file time is correctly reflected when the handle that makes the change is closed. Not all file systems can record creation and last access times, and not all file systems record them in the same manner.

What do you mean by "reliable"? When you create a file, it gets a timestamp, and that works. Now, the resolution of that timestamp is not necessarily high -- on FAT16 it was 2 seconds, I think. On FAT32 and NTFS it probably is 1 second. So if you are saving your files at a rate of less then one per second, you should be good there. Keep in mind, that user can change the timestamp value arbitrarily. If you are concerned about that, you'll have to embed the timestamp into the file itself (although in my opinion that would be ovekill)

[PDF] Filesystem Timestamps: What Makes Them Tick?, between NTFS, FAT32 and exFAT, but also between Windows Operating Systems. file was created, but when it was also modified and if it was copied from reliability of the files and what this timestamp may represent. Evidently, in case of a file creation, every timestamp is going to be new. Since no file existed earlier, none of the timestamps could be inherited. Therefore every one of them is going to be a new one. A good exception is the File System Tunneling though.

Of course if the user of the machine is an administrator, they can set the current time to whatever they want it to be, and the system will happily timestamp files with that time.

So it all depends on what you're trying to do with the information.

File Timestamps, When comparing the files created for this research, it appeared that where order to reduce the amount of digital data created by Windows® automatically as a part Gathering logs with accurate timestamps in central locations, and reviewing  Most Unix systems don't track file creation times. They track a file's modification time, which is updated each time the file is written to. If the files are written sequentially when they are created (i.e. the first file is fully written before the second file is created) and not modified later, then the order of the modification times will be the same as the order of the file creations, but

Windows timestamps are in UTC. So if your timezone changes (ie. when daylight savings starts or ends) the timestamp will move forward/back an hour. Apart from that, and the accuracy of about 2 seconds, there is no reason to think that the timestamps are invalid, and its certainly ok to use them. But I think its bad practice, when you can simply put the timestamp in the name, or in the file itself even.

NTFS Timestamp changes on Windows 10, Windows systems handle four different types of timestamps for a file. NTFS, File Modified, Accessed, $MFT Modified, Created just want to make a test but I wanted to compare them to already existing and reliable results. Windows maintains three different date/timestamps for every file and folder. They are “Date Created”, “Date Modified”, and “Date Accessed”. In some situations, you may have to change the modified, created, or last accessed timestamp of a file or folder. For instance, I had to change the timestamp of some files to test the Robocopy sync method when writing an article on folder compare and synchronization.

What if the system time is changed for some reason? It seems handy, but perhaps some other version number counting up would be better.

Added: A similar question, but with databases, here.

File Times, The system records file times when applications create, access, and write to The only guarantee about a file time stamp is that the file time is  Windows 10 users and administrators have access to both, but the development focus lies clearly on PowerShell. Each file on Windows, and other operating systems as well, has several timestamps associated with it. The file system keeps track of the files creation time, last access time, and last write time.

Is a CD-R a reliable timestamp for a file's creation date? : askscience, I recorded various Word documents, text files, and images into (on Windows), You can prove this for yourself by creating a file with an arbitrary creation date, can be changed to anything before burning, so no, it's not particularly reliable. What do you mean by "reliable"? When you create a file, it gets a timestamp, and that works. Now, the resolution of that timestamp is not necessarily high -- on FAT16 it was 2 seconds, I think. On FAT32 and NTFS it probably is 1 second. So if you are saving your files at a rate of less then one per second, you should be good there.

Interpretation of NTFS Timestamps, For the moment, I am concerned only with NTFS file timestamps. Similar tests need to be created and performed for other timestamp formats. of the '​FILETIME' data structure in the Windows Software Development Toolkit, The translation of a timestamp must be accurate, within the limits of the chosen  BFC was created to help you build file lists from multiple folders then edit their creation, modification, and last accessed times. You can also adjust the file attributes (Read Only, Hidden, and System). It also integrates seamlessly with Windows so that you can copy, paste, and move files around.

How to Change the Last Modified Date, Creation Date, and Last , Every file you create or modify on Windows 10 has file attributes to change the created, modified, and accessed timestamps—change these  Every file and folder in Windows have three timestamps to record the access, creation and modification times. This PowerShell tip shows you how to view and modify the creation time, modification time and access time files and folders in Windows . You'll be very familiar with the dir command in MS-DOS which is used to list files and folders.

Comments
  • You may want to expand on what you are trying to acheive with it more specifically