NTFS File Information: Timestamps, Permissions, and Alternate Data Streams

NTFS File Information: Timestamps, Permissions, and Alternate Data Streams

NTFS (New Technology File System) stores rich metadata for each file that the operating system and administrators use for management, security, and forensics. This article explains the key NTFS file information elements—timestamps, permissions, and Alternate Data Streams (ADS)—how they work, where to view them, and practical implications.

1. Key NTFS Timestamps

NTFS maintains several timestamp attributes for each file. These are recorded in the file record and updated by the filesystem:

• Creation Time: When the file was created on the volume.
• Last Write Time: When the file’s content was last modified.
• Last Access Time: When the file was last opened or accessed (may be disabled for performance).
• Change (MFT) Time: When the file’s metadata or MFT record was last changed (distinct from content changes).

Practical notes:

• Resolution and format: NTFS timestamps are stored with high precision (100-nanosecond intervals) using UTC and presented in local time by tools.
• Behavior: Copying a file can set a new Creation Time while preserving Last Write Time; moving within the same volume typically preserves Creation Time.
• Forensics: The Change (MFT) Time is often crucial in investigations because it updates for metadata changes that don’t alter content.

2. NTFS Permissions (ACLs)

NTFS uses Access Control Lists (ACLs) to enforce file and folder security. Each file has a security descriptor containing:

• Owner: The account that owns the file.
• DACL (Discretionary ACL): A list of Access Control Entries (ACEs) that allow or deny specific permissions to users or groups (e.g., Read, Write, Execute, Full Control).
• SACL (System ACL): Controls auditing—what access events get logged.

Key concepts:

• Effective Permissions: Determined by combining group memberships, explicit denies, and inherited ACEs from parent folders.
• Inheritance: By default, files and subfolders inherit permissions from their parent folder unless inheritance is blocked or broken.
• Common rights: Read, Write, Execute, Delete, Change Permissions, Take Ownership; these can be combined or mapped to generic rights (Read/Write/Full Control).
• Tools to view/edit: Windows Explorer (GUI), icacls, cacls, Get-Acl / Set-Acl in PowerShell.

Security implications:

• Misconfigured ACLs can allow unauthorized access or accidental privilege escalation.
• SACL auditing is essential for tracking access to sensitive files.

3. Alternate Data Streams (ADS)

NTFS supports Alternate Data Streams—named streams associated with a file that are not visible in standard directory listings but are stored with the file’s metadata.

• Usage: Originally for compatibility with Macintosh resource forks; used today for metadata, application data, or hiding content.
• Format: Accessed as filename:streamname (e.g., secret.txt:hiddenstream).
• Visibility: Most file managers and simple tools ignore ADS; commands and APIs are required to list or read them.
• Tools to manage: streams.exe (Sysinternals), PowerShell (Get-Item /Stream), more advanced forensic tools.

Security and operational considerations:

• ADS can hide executable or malicious payloads; antivirus and endpoint detection should inspect streams.
• Copying a file to non-NTFS filesystems (FAT32, exFAT) will lose ADS content.
• Backups must be ADS-aware to preserve data stored in streams.

4. Where to View NTFS File Information

• Windows Explorer: Basic view (timestamps in properties; permissions via Security tab).
• Command line:
  • dir /R to show alternate streams (limited).
  • icacls filename to view ACLs.
• PowerShell:
  • Get-Item filename | Select-Object CreationTime, LastWriteTime, LastAccessTime
  • Get-Item -Path filename -Streamto list streams
  • Get-Acl / Set-Acl for security descriptors.
• Sysinternals: streams.exe to enumerate ADS; accesschk for permission checks.
• Forensic tools: FTK, EnCase, Autopsy for deeper metadata and timeline analysis.

5. Best Practices

• Monitor timestamps and MFT changes for suspicious activity; use centralized logging and correlate with other events.
• Harden permissions: apply least privilege, remove unnecessary inheritance, and regularly audit ACLs.
• Inspect ADS: include stream scanning in antivirus and backup solutions; educate admins about the risks.
• Backup strategy: ensure backup tools preserve ADS and security descriptors if restoration fidelity is required.

6. Quick Troubleshooting Tips

• If timestamps seem incorrect after copying, check copy method and whether tools preserved Last Write vs. Creation Time.
• If users can access files they shouldn’t, run icacls and examine inheritance and explicit deny ACEs.
• To find hidden ADS, use: streams.exe -s or PowerShell Get-ChildItem -Recurse -Stream *.

7. Conclusion

NTFS stores powerful file metadata—timestamps, ACLs, and ADS—that are essential for file management, security, and forensic analysis. Understanding how these attributes behave, how to view them, and their operational risks helps administrators maintain secure and reliable Windows environments.