Time rules for certain user file interactions are documented in the SANS red poster, tested on a Windows 10 1903 system. This blog post looks at these same user interactions with files on a Windows 11 22H2 system, with some further testing conducted on a Windows 10 21H2 system to fill in gaps (file copy to same folder, file recycle, ADS tests, and the original file MFT entries for file copy and move actions).
Note that actions shown in the red poster were not re-rested; they have simply been listed here for comparison.
Note that you may not get the same outcome for all versions of Windows 10.
Key:
- Values that are not highlighted are the same on Windows 10 and Windows 11.
- Values highlighted in an orange background are those that are different in Windows 11 compared to Windows 10.
Those access timestamps recorded as approximate were all a few milliseconds to a few seconds different (more often later than earlier) to the time of the actual user action. However, there was no consistency in how big or small a difference there was between the times, so further specifics could not be recorded.
UPDATE: I had a student question in FOR500 - does the creation or modification of an Alternate Data Stream (ADS) affect the MFT timestamps?
So... I did some more testing and added the two right-most columns to the table above. The result was the same on Windows 10 21H2 and Windows 11.