Following my presentation at TechnoWest 2023 on “Everything You Need to Know About Mac Timestamps,” I wanted to share some key insights about POSIX and Apple Extended Attribute timestamps and their critical role in digital forensics investigations.
The Basics of Mac Timestamps
MacOS, being based on Unix, uses the standard POSIX timestamp attributes that many investigators are familiar with:
- mtime (modification time): When the content of the file was last modified
- atime (access time): When the file was last accessed/read
- ctime (change time): When the file’s metadata was last changed
However, Apple’s implementation includes several extended attributes that provide additional forensic value that many examiners overlook.
Apple Extended Attributes
MacOS maintains several extended attributes, with the most forensically relevant being:
- kMDItemCreateDate: The true creation date of a file
- kMDItemContentCreationDate: When the content was created (can differ from file creation)
- kMDItemLastUsedDate: The last time the file was opened by a user
These extended attributes are stored in the file system’s metadata and can persist even when files are moved within the same volume.
Timestamp Discrepancies and Their Significance
One of the most valuable forensic indicators comes from inconsistencies between timestamps. For example:
When a file’s kMDItemCreateDate is significantly newer than its content creation date, this could indicate that the file was copied from another system or restored from a backup.
Similarly, if the POSIX birth time (btime) differs substantially from the kMDItemCreateDate, it might suggest tampering or that the file was manipulated using tools that don’t properly maintain Apple’s extended attributes.
Practical Example: Identifying Anti-Forensic Activities
Consider a scenario where you encounter a suspicious document on a Mac system. The standard timestamps might look normal, but examining the extended attributes reveals inconsistencies:
$ mdls suspicious_document.pdf
kMDItemCreateDate = 2025-02-15 14:30:15 -0500
kMDItemContentCreationDate = 2024-11-03 08:12:44 -0500
kMDItemLastUsedDate = 2025-03-10 22:45:02 -0500
$ stat suspicious_document.pdf
Birth: 2025-02-15 14:30:15
Access: 2025-03-12 10:22:33
Modify: 2025-03-10 22:45:02
Change: 2025-03-10 22:45:02
In this example, the content creation date is much earlier than the file creation date, suggesting this document was created elsewhere and then transferred to this system. The last used date matches the modification time, potentially indicating an attempt to open and save the file to normalize timestamps.
Implications for Investigations
Understanding these timestamp nuances is crucial when:
- Establishing timelines in data exfiltration cases
- Identifying backdated documents in fraud investigations
- Determining if files were copied from external media
- Detecting anti-forensic techniques aimed at manipulating evidence
Tools for Mac Timestamp Analysis
While many forensic tools capture basic file system timestamps, few properly extract and interpret all of Apple’s extended attributes. At SUMURI, our RECON suite is specifically designed to address this gap, presenting investigators with a complete view of all timestamp data in an easily interpretable format.
Command-line investigators can leverage the built-in MacOS tools:
mdls- List all metadata attributesxattr -l- List extended attributesstat -x- Display POSIX timestamps
Conclusion
Mac timestamps provide a wealth of forensic information beyond what many examiners typically analyze. By understanding both the standard POSIX timestamps and Apple’s extended attributes, investigators can discover valuable evidence that might otherwise remain hidden.
I’ll be diving deeper into specific case studies in future posts. If you have questions about Mac timestamp analysis in your investigations, feel free to reach out.