In accordance with 4 time stamps which are Created time(crtime), Modifiled time aka Last Wrriten(mtime), Changed time aka Entry Modifiled(ctime) and Accessed time(atime), fte outputs type of time stamp to type column on some tab. It will be determined by micro information and combination with 4 time stamps, then objects(files/folders) are classified into one of pre-defined categories. It helps investigator to track specified objects.
The following are current pre-defined category.
FAT
Time stamps fit into FAT resolution.
- atime - 1 day
- mtime - 2 seconds
- ctime - no value (1601/01/01 00:00:00+time zone on fte)
- crtime - 10 millisecond
exFAT
Time stamps fit into exFAT resolution.
- atime - 2 seconds
- mtime, crtime - 10 millisecond
- ctime - no value (1601/01/01 00:00:00+time zone on fte)
Unix(POSIX)
crtime, mtime and atime are Unix(POSIX) style timestamp (i.e. time stamp resolution is 1 second).
- atime, mtime, ctime, crtime - 1 second
Objects on Ext2/3 and HFS+ through network share belong to this type.
DOS
ctime has 100 nanosecond resolution and the others are DOS style time stamp.
- atime, mtime, crtime - 2 seconds
- ctime - 100 nanosecond
Some application treat time stamp of objects as this type.
FAT/ZIP/LZH->NTFS
mtime is DOS style and the others have 100 nanosecond resolution.
- atime, ctime, crtime - 100 nanosecond
- mtime - 2 seconds
Usually mtime tends to maintained by copy operation. For example, object on FAT is copied into NTFS, the type is "FAT/ZIP/LZH->NTFS". Also, ZIP/LZH format adopts DOS style for mtime of target object. When it's extracted, common utility set this mtime to extracted object. So files from ZIP/LZH belong to "FAT/ZIP/LZH->NTFS". However, there are optional format in ZIP/LZH and it's possible to store Unix(POSIX) or FILETIME style. Eventually the behavior depends on implementation.
exFAT->NTFS
mtime has 10 millisecond resolution, the others has 10 nanosecond resolution.
- atime, ctime, crtime - 100 nanosecond
- mtime - 10 millisecond
For example, object on exFAT is copied into NTFS, the type is "exFAT->NTFS"
SYSTEMTIME
crtime, mtime and atime are SYSTEMTIME style, i.e. millisecond resolution.
- atime, mtime, crtime - 1 millisecond
- ctime - 100 nanosecond
Some utility utilize SYSTEMTIME style. As far as I know, "Change File Time Stamp" and "FileTouch" utility change timestamp using SYSTEMTIME API. For example if the timestamp of object are manipulated such utility, type is SYSTEMTIME.
FILETIME
None of the above applies, the type is FILETIME.
- atime, mtime, ctime, crtime - 100 nanosecond