-2

Is there a way to find out when NTFS was last mounted?

Any information in the filesystem metadata or something?

Using utilities on Linux, MacOS or at least Windows...

Thank you!

Evenik
  • 1
  • 2

1 Answers1

0

sorry,

root@xDevAd:/home/hans/ntfs# truncate -s 2M ntfs.img;
root@xDevAd:/home/hans/ntfs# mkdir -p ./mount;
root@xDevAd:/home/hans/ntfs# losetup /dev/loop9 ntfs.img;
root@xDevAd:/home/hans/ntfs# mkfs.ntfs /dev/loop9;
The partition start sector was not specified for /dev/loop9 and it could not be obtained automatically.  It has been set to 0.
The number of sectors per track was not specified for /dev/loop9 and it could not be obtained automatically.  It has been set to 0.
The number of heads was not specified for /dev/loop9 and it could not be obtained automatically.  It has been set to 0.
Cluster size has been automatically set to 4096 bytes.
To boot from a device, Windows needs the 'partition start sector', the 'sectors per track' and the 'number of heads' to be set.
Windows will not be able to boot from this device.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
root@xDevAd:/home/hans/ntfs# mount /dev/loop9 ./mount;
root@xDevAd:/home/hans/ntfs# umount ./mount; 
root@xDevAd:/home/hans/ntfs# b3sum ./ntfs.img;
0b5e9867996a2a4ce2abb6689d59a7719b040da35db7cd6f39d8084e6dd81466  ./ntfs.img
root@xDevAd:/home/hans/ntfs# sleep 1;
root@xDevAd:/home/hans/ntfs# mount /dev/loop9 ./mount;
root@xDevAd:/home/hans/ntfs# sleep 1;
root@xDevAd:/home/hans/ntfs# umount ./mount;
root@xDevAd:/home/hans/ntfs# sleep 1; 
root@xDevAd:/home/hans/ntfs# b3sum ./ntfs.img;
0b5e9867996a2a4ce2abb6689d59a7719b040da35db7cd6f39d8084e6dd81466  ./ntfs.img

from this we can conclude that IF "last mount time" exists, it's precision is less than 2 seconds,

but it probably means that the information you seek does not exist :(

(another possibility is that a bug in ntfs-3g prevents last mount time from being recorded, but i doubt it)

edit: good news is: finding the last atime/last mtime when comparing ALL FILES on the entire filesystem, is probably a good indicator..

this script

#!/usr/bin/env php
<?php
function fs_get_last_time(string $mountpoint, int &$time_out, string &$file_out):void{
    $time_out=0;
    $file_out="";
    $files = glob($mountpoint.DIRECTORY_SEPARATOR."*",GLOB_NOESCAPE|GLOB_NOSORT);
    foreach($files as $file){
        $stat = stat($file);
        $file_last_time = max($stat["atime"]??0, $stat["mtime"]??0,$stat["ctime"]??0);
        if($file_last_time>$time_out){
            $time_out=$file_last_time;
            $file_out = $file;
        }
        if(is_dir($file)){
            $inner_time = 0;
            $inner_file = "";
            fs_get_last_time($file,$inner_time, $inner_file);
            if($inner_time > $time_out){
                $time_out = $inner_time;
                $file_out = $inner_file;
            }
        }
    }
}

should tell you the last time the filesystem was last in use, at least... usage:


$time=0;
$file="";
fs_get_last_time("/path/to/ntfs/mount", $time,$file);
echo date(DateTime::RFC3339,$time).": ".$file."\n";
hanshenrik
  • 19,904
  • 4
  • 43
  • 89