In many situations, ranging from business transactions to computer forensics investigations, it can be important to know the date and time a file was created, accessed, or changed. Modern Windows operating systems (Windows 9x through XP) keep records of these three values for each file and directory. These are called time stamps.
However, the time stamps displayed by the operating system are by no means foolproof. For various reasons, the dates and times recorded may be inaccurate. This could be because the computer’s system clock has been incorrectly set. This error can be caused by software programs or inadvertently or deliberately by a user to create a false time stamp. There are also a large number of programs available that are designed for manipulating time stamps.
In this Daily Drill Down, we will look at how the Windows operating systems handle time stamps, how to view the time stamps on files and directories, and why and how time stamps are changed.
How Windows handles time stamps
The Windows operating systems handle time stamping differently depending on the file system in use, since this is actually a file system functionality. The major difference is in the resolution time, which can vary from 10 milliseconds for “create time” on FAT-formatted files to one hour for “access time” on NTFS-formatted files. Another difference is in the way the time is recorded. FAT uses the local time that is set in your operating system’s regional settings, but NTFS uses Universal Time Coordinate (UTC) to record times (so as not to be affected by time zones and daylight savings time).
Understanding UTC
UTC, or Universal Time Coordinate, is basically the same as Greenwich Mean Time (GMT) and is determined by very precise atomic clocks at time labs in various parts of the world. For more information, check out this Web page of the U.S. Naval Observatory.
All Windows file systems record the same three values:
- Time/Date Created: When you create a new file or directory, this value is set and does not normally change (unless you deliberately change it). If you make a new copy of a file and save it to a different location, it is treated as a new file and a new creation time stamp is set. Moving a file or simply renaming it does not create a new file, and thus does not give the file a new creation time stamp. (Note: It is possible to end up with a file that has a modification time that’s earlier than its creation time when you make a new copy of a file.)
- Time/Date Modified: This is also called the Last Written date. Whenever the contents of the file are changed, or files are added to or deleted from a directory, this time stamp changes. Renaming the file doesn’t change the modification time stamp. Neither does opening the file without making any changes to it.
- Time/Date Accessed: This is supposed to show the last time the file was accessed, but experience proves that opening and reading a file without making changes does not immediately change this time stamp in Windows XP (this is because of the variance in resolution time mentioned earlier).
Writing to the Security log
In Windows XP and other NT-based operating systems, you’ll find that the modified and accessed dates/times are usually the same, even if you open, read, and close the file. This can be a problem when it’s important to know whether a file has been read since it was modified. One solution is to use object access auditing to write an event to the Security log whenever someone accesses a file or other object. To do so, you must turn on auditing in group policy and enable auditing for the particular file(s) or folder(s). To learn more about auditing local file and folder access in Windows 2000, check out this TechRepublic article.
Viewing time stamps
All the 32-bit Windows operating systems track all three time stamp values described above, and there are three ways you can view this information: individually for each file through its properties, for all files and subdirectories in a directory through Explorer, or at the command line.
Viewing time stamps for an individual file or directory
You can view the time stamps for a particular file or directory through its Properties dialog box (accessed by right-clicking the file and selecting Properties). This information for the individual file is displayed on the General tab, as shown in Figure A.
| Figure A |
 |
| You can view the creation, modification, and access dates in a file’s Properties dialog box. |
Viewing time stamps via Windows Explorer
If you want to view the information for all files and subdirectories in a directory at a glance, you can do so in Windows Explorer. However, by default, only the modification date and time are shown. If you also want to view the creation and last access dates, you’ll need to make some changes to the Explorer display. We’ll use Windows XP to show you how to make Explorer display all the time values, but the procedure is the same in Windows 2000.
Open Explorer and right-click the column titles display bar in the right pane (where the column labels Name, Size, Type, and Date Modified appear). In the right context menu, as shown in Figure B, select Date Created and click it so that a checkmark appears beside it.
| Figure B |
 |
| Right-click the column labels in the right pane to add a column for Date Created. |
Now a column for Date Created will appear in Explorer. However, you’ll note that Date Accessed doesn’t appear in the list. To display that one, you must click More at the bottom of the list. This will display the Choose Details box shown in Figure C.
| Figure C |
 |
| After clicking More, check the checkbox for Date Accessed in the Choose Details box. |
Now Explorer will display columns for the date and time of all three values, as shown in Figure D.
| Figure D |
 |
| Explorer displays all three time stamp values: Date Modified, Date Created, and Date Accessed. |
Viewing time stamps at the command line
Another way to view the time stamps is via the DIR command at the command line. By default, when you run the DIR command on a directory, the modification date and time (last written) is shown for each file and subdirectory in the working directory, as shown in Figure E.
| Figure E |
 |
| The DIR command shows you the modification (last written) date and time for each file and subdirectory. |
You can instead view the date and time of creation or last access by using the /t switch along with the c or a parameter. The syntax is dir /t:c or dir /t:a. Figure Fshows the results.
| Figure F |
 |
| You can use the /t switch to change the time stamp displayed with the DIR command. |
To change back to displaying the modification date and time, use the command dir /t:w.
Application time stamp info
Some applications also display time stamp information. This is usually accessed from the File menu, through a Properties or Document Info selection.
Time stamp display options
We mentioned that NTFS records time stamps in UTC. However, time stamps are translated to the local time selected in your Time/Date settings in Control Panel. Additionally, although UTC normally uses a 24-hour clock, the way time stamps will be displayed in Windows depends on your Regional settings. By default, AM/PM is used, but you can display time stamps in military time (24 hour) by performing the following steps:
- In Control Panel, select Regional and Language Options.
- Next to the Standards And Formats selection—for example, English (United States)—click the Customize button.
- Select the Time tab.
- In the Time Format field, select H:mm:ss (no leading zero) or HH:mm:ss (with leading zero) to display time in 24-hour notation instead of AM/PM.
- Click Apply to make the change. Note that all displays of time on the system, including the clock in the system tray, will now use 24-hour time.
Similarly, you can change the format in which the date is displayed by using the Date tab.
Changing time stamps on files and directories
There are a number of software programs you can use to change the time stamps on files and folders. Some do this as one of many functions, and others exist for this purpose only. In this section, I’ll look at some that I’ve tried, but many others are available—often at no cost from the utilities section of shareware and freeware download Web sites.
Time stamp date limitations
You generally can’t set a time stamp to a date prior to Jan. 1, 1980, on a FAT or FAT32 partition, but you can set dates at least back to 1752 on NTFS formatted files (depending on the software you’re using to change the dates).
If you’re a programmer, you can write your own code to modify file time stamps. Instructions for doing so, using Visual Basic 4, 5 or 6, can be found here.
Reasons for changing time stamps
There are many reasons you might want to change the time stamps on files. For example, if you’re working on a project with someone in a different time zone, updates may have dates that are earlier than older versions, causing confusion. You could change time stamps to prevent this.
Of course, some users change time stamps for unethical or illegal reasons in order to, for example, make it appear to an employer that work was done earlier than it really was or thwart a criminal investigation. In some cases, investigators will be able to use forensics methods to determine that the time stamps have been modified.
Third-party programs that change time stamps
Several popular file management programs include functionality to change file time stamps. Some of these are more flexible than others. For example, PowerDesk (previously marketed by Ontrack, now by V Communications, Inc.) has an option in the File menu, Set File Or Folder Date/Time. Highlighting a file and selecting this option will display the dialog box shown in Figure G.
| Figure G |
 |
| PowerDesk, a third-party utility, also lets you change time stamps. |
Note that this will change all of the file’s time stamps (creation, modification, and access) to the date and time you specify. There are several programs that will allow you to modify each time stamp separately.
File Cosmetic is a small program (less than 1 MB) offered by Nizux Software. It’s free to try (and the trial version doesn’t expire) or $7 to buy. One caveat: The download site is extremely slow. It works with Windows 9x, NT, 2000, and XP, and integrates itself into Explorer by adding a tab named Cosmetic to the file’s properties sheet, as shown in Figure H.
| Figure H |
 |
| File Cosmetic adds a tab to the file’s properties sheet for modifying file dates. |
Finders Keepers is another utility that accomplishes the same thing. It’s a little larger (2.2 MB) but downloads much faster. Finders Keepers is a bit more complex because it’s primarily designed to search for files and folders on the computer. However, it includes a Touch command in the Perform menu, as shown in Figure I. You can use this command to set the same creation, access, and/or modification date on a whole batch of files, as shown in Figure I.
| Figure I |
 |
| Finders Keepers lets you change the dates on a group of files simultaneously. |
Attribute Magic, for Windows 9x through XP, can be downloaded free here. It’s only 366 KB and installs in seconds. The interface is very simple, as shown in Figure J.
| Figure J |
 |
| Attribute Magic is a tiny program with a simple interface for modifying time stamps. |
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
