athulin wrote:
One big question on that list is: 'do we really know how NTFS file timestamping work?' There are various articles and other material out there, but they are only rarely done scientifically, and when they are, they're restricted in scope. Much seems to be anecdotal and unspecific, and thus cannot necessarily be repeated by another researcher.
One way to approach that problem would be to write a piece of software that made every possible (well, ...) file-related system call in some particular software platform (Win32, .NET, ... what have you), and record how those calls modified the original timestamps (and possibly other artifacts) of the file, and analyze and document the changes. Of course, the changes need not be restricted to the target files -- they may also affect the directory of those files, and even other areas of NTFS. (For some types of calls, there will be a source and a destination, and there may be changes in both.)
I would presume"with all due respect for what has been done and shared non-scientifically or that is very restricted in scope". <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
Even when an experiment is done in a repeatable and documented way, it is not like anyone seems willing to repeat it <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> , just for the record:
http://reboot.pro/topic/19746-queer-ntfs-andor-xp-behaviour/
jaclaz
↧