Good afternoon to everyone!
Exiftool perfectly saves three attributes of file time, but there is a fourth. The "ChangeTime" attribute in the FILE_BASIC_INFO table is a unmasking sign of a file change. See the screenshot.
Can be aligned all four attributes by exiftool?
The "Far Manager" program do it, but only manually for each file.
Hi Victor,
I have split this into a separate topic (and changed the subject).
After some Googling, it looks like this is the MFT (Master File Table) change time (see here (https://superuser.com/questions/973547/how-can-i-display-all-8-ntfs-timestamps)), which exists only on Windows NTFS filesystems. Here is some python code to read the MFT table (https://github.com/jeffbryner/pyMFTGrabber/blob/master/pyMFTGrabber.py), but this code reads sectors directly from the hard disk to obtain the MFT, which is definitely beyond the scope of ExifTool. Also, there are other things to worry about like access permissions when trying to read the MFT (read here (https://stackoverflow.com/questions/21661798/how-do-we-access-mft-through-c-sharp)). So I don't think that this is something ExifTool should/would be able to do.
- Phil
Edit: Actually, as my first link (https://superuser.com/questions/973547/how-can-i-display-all-8-ntfs-timestamps) mentioned, there seem to be 8 different timestamps stored in an NTFS system. 4 for the file itself, and 4 more for the filename (read here (https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation)).
Thank you, Phil!
From afar, the problem didn't look so serious.
I assumed that there was a standard function of the Perl language for this purpose.