Note:I translated Japanese into English using Google Translate.
Thank you, Google.
iria_piyo has published some interesting verifications on File System Tunneling in the blog. I read those blogs and I wanted to see how the USN Journal was recorded.
(2013 article in the reference URL, Keydet89 has already mentioned the USN journal.)
Unfortunately I do not have an image of fried eggs (medamayaki.png) so I will use the otter image.
Format E drive as NTFS and enable USN Journal.
E:\>fsutil usn createjournal e: m=1 a=1
Copy the JPEG file to the E: Pictures folder using Windows Explorer.
Check the file meta information with Autopsy.
Delete the file and create the same file name. I should have recorded the time before deleting the file...
Unlike expected results, Created timestamp was not restored.
Copy the image file with a different name and test again.
This time, the same file name is created by deleting the file and changing the file name.
Created time stamp was not restored......why????
Just to be sure, I check the registry, but there is no value of MaximumTunnelEntries.
By the way, why is NtfsDisableLastAccessUpdate value 80000002? (DisableLastAccess = 2 (System Managed, Disabled))
I will test the same operation on the C: drive.
As before, I copied the otter image to c:\Pictures folder.
Created timestamp has been restored.
Muuuuuu...Why is the Created time stamp not restored on E: drive?
I formatted E: drive with FAT32, and performed the same test, it was the result below.
On FAT32, Created time stamp is restored.
Verification environment: Windows 10 1083