NTFS Forensics

Finding hidden information within the Windows NTFS file system

Get NTFS Creation Date

Using Windows Powershell we can print the date the volume was initially created. In this example we get the creation time for drive E: and then the lastwrite time

PS C:\> Get-Item E:\ | Select-Object CreationTime

CreationTime
------------
17/07/2017 3:21:04 PM

PS C:\> Get-Item E:\ | Select-Object LastWriteTime

LastWriteTime
-------------
10/07/2024 10:46:12 AM