On-disk File Timestamps

The Single Unix Specification, Base Definitions (XBD), Section 4.8 entitled “File Times Update” states

“An implementation may update timestamps that are marked for update immediately, or it may update such timestamps periodically.”

This means that, for example, that file read and write operations are free to set the appropriate flags in the in-memory structures and do the actual updating of the on-disk filesystem structures at a later time.

Assuming periodically means from time to time, it implies that a POSIX-compliant operating system is free to update it’s on-disk structures when it is convenient for the operating system to do so. This means that, should the operating system crash, the on-disk recorded times might not reflect the actual true last access times.

BSD and Solaris UFS are two filesystems that exhibit such behavior. The Solaris UFS file systems does not update access times unless the disk is accessed or a certain events occur. BSD only periodically updates it’s on-disk filesystem timestamps. On BSD, all

timestamps that are marked for update are updated when the file ceases to be open by any process or before a fstat(), fstatat(), fsync(), futimens(), lstat(), stat(), utime(), utimensat(), or utimes() is successfully performed on the file.

From a forensics viewpoint, this implies that you need to understand the underlying filesystem on-disk timestamp updating mechanism before you can reliably rely on an individual file timestamp.

Comments are closed.