MACtimes oddness on CDROM filesystems

I have been looking at the MACtimes of files stored on CDROM’s recently. One thing that particulary struck me was the access time (the A in MAC) of files on a cdrom…

F:burntest>dir /ta *
Volume in drive F is My Disc
Volume Serial Number is 8181-A540

Directory of F:burntest

01/01/1601 10:00 AM <DIR> .
01/01/1601 10:00 AM <DIR&gt’ ..
01/01/1601 10:00 AM 34,304 LDM.doc
01/01/1601 10:00 AM 1,267 mailheaders.txt
2 File(s) 35,571 bytes
2 Dir(s) 0 bytes free

Did I reset the access time when I burned it?

No. From the quick skim of the ISOFS documentation, it appears that ISOFS contains no field to save the access time of a file in, which i expect makes sense if you are thinking of a filesystem as a read only medium.

I imagine that the windows CDFS implementation is simply returning the number 0 (64bit) to the upper level filesystem layers here for the accessed time. And what you see here, is 12 Midnight, 1/1/1601 (plus 10 hours as I am in Brisbane, GMT+10), which is the starting point of the windows clock.

Too bad if you are wanting it as a backup of a regular filesystem. From a forensic standpoint, you have lost all of those useful accessed times (not to mention the usual suspects like slack space, deleted files…)

Which brings me to validating some CD writing software, in this case, Nero 6. For my experiment, I will compare the mactimes of some files on a NTFS filesystem which have been burned to a ISOFS CDROM with Nero 6.

The creation times on the NTFS FS on C: and the ISOFS on F:

C:burntest>dir /tc *
Volume in drive C has no label.
Volume Serial Number is 8C26-C144

Directory of C:burntest

15/09/2005 07:44 PM <DIR> .
15/09/2005 07:44 PM <DIR> ..
14/08/2005 05:53 PM 34,304 LDM.doc
23/07/2005 08:54 PM 1,267 mailheaders.txt
2 File(s) 35,571 bytes
2 Dir(s) 9,896,013,824 bytes free

F:burntest>dir /tc *
Volume in drive F is My Disc
Volume Serial Number is 8181-A540

Directory of F:burntest

15/09/2005 07:44 PM <DIR> .
15/09/2005 07:52 PM <DIR> ..
14/08/2005 06:16 PM 34,304 LDM.doc
23/07/2005 08:55 PM 1,267 mailheaders.txt
2 File(s) 35,571 bytes
2 Dir(s) 0 bytes free

Huh?

C:burntest>dir /tw *
Volume in drive C has no label.
Volume Serial Number is 8C26-C144

Directory of C:burntest

15/09/2005 07:44 PM <DIR> .
15/09/2005 07:44 PM <DIR> ..
14/08/2005 06:16 PM 34,304 LDM.doc
23/07/2005 08:55 PM 1,267 mailheaders.txt
2 File(s) 35,571 bytes
2 Dir(s) 9,896,013,824 bytes free
F:burntest>dir /tw *
Volume in drive F is My Disc
Volume Serial Number is 8181-A540

Directory of F:burntest

15/09/2005 07:44 PM <DIR> .
15/09/2005 07:52 PM <DIR> ..
14/08/2005 06:16 PM 34,304 LDM.doc
23/07/2005 08:55 PM 1,267 mailheaders.txt
2 File(s) 35,571 bytes
2 Dir(s) 0 bytes free

It looks like Nero 6 likes to throw away the creation time, and replace it with the last modified time. Yet more data lost.