MAC times is file system metadata which track the Modified, Accessed and Changed times of a file on the file system. This information is critical when performing a forensic analysis since you can determine when files were created, accessed or executed, and changed or deleted.

When performing a forensic analysis, a key indicator that a script was executed (often to exploit a computer vulnerability) is when a large number of files are accessed every second.

While Linux and most Unix file systems are POSIX compliant and implement MAC times consistently, Windows does not. In NTFS, the file system records a fourth time which tracks the time the file was created. The FAT file system only tracks the day a file was last accessed (not the file) which is a significant loss of critical information. For a more complete accounting of how Microsoft Windows records MAC times, please see their Knowledge Base article “Description of NTFS date and time stamps for files and folders”.