Timestamp Manipulation (Timestomping)

  • Description: Timestomping is a classic anti-forensic technique aimed at modifying the standard timestamps associated with files or folders. The primary goal is to alter the Modified, Accessed, Changed, and/or Birth (MACB) times to make a malicious file (like a cheat) or a recently modified legitimate file appear older or blend in with unrelated system files, thereby confusing timeline analysis during a screenshare.

  • Mechanism: Attackers use various tools or methods to rewrite the timestamp metadata:

    • Specialized Utilities: Tools like Timestomp.exe (from Metasploit) or other standalone utilities are designed specifically for this purpose.

    • Built-in Tools: PowerShell commands (Set-ItemProperty) or even lower-level API calls can be used to modify timestamps.

    • Target Attributes: These tools primarily target the timestamps stored within the $STANDARD_INFORMATION ($SI) attribute in the file's Master File Table (MFT) record, as these are the timestamps typically displayed by Windows Explorer and most basic tools.

  • Why Cheaters Use It: To make a recently downloaded, installed, or executed cheat file appear as if it hasn't been touched in months or years, hoping the ScreenSharer will overlook it when sorting by date or analyzing recent activity. It can also be used on artifacts like Prefetch files (though attribute manipulation is more common there) or logs.

  • Detection: Detecting timestomping often involves comparing different sets of timestamps associated with the file:

    • $MFT $SI vs $FN Comparison: As mentioned in the NTFS section, files often have two sets of MACB timestamps stored in their MFT record: one in $STANDARD_INFORMATION ($SI) and another in $FILE_NAME ($FN). Timestomping tools often only modify the $SI timestamps. Parsing the $MFT (e.g., using MFTECmd) and comparing the $SI timestamps against the $FN timestamps for the same file can reveal discrepancies, which strongly indicate manipulation. If the $SI timestamps show an old date (e.g., 2015) but the $FN timestamps show a recent date (e.g., matching the screenshare period), timestomping is highly likely.

    • USN Journal ($UsnJrnl): The act of modifying file timestamps typically generates a BASIC_INFO_CHANGE event in the USN Journal, logged with an accurate timestamp of when the modification occurred. Finding recent BASIC_INFO_CHANGE entries for a file that displays much older $SI timestamps is strong evidence of timestomping.

    • $LogFile: In theory, the $LogFile might capture the transaction attempting to change the timestamp, potentially showing both the original and the intended fake timestamp, though parsing this artifact is complex.

    • System Time Change Correlation: If timestomping occurred recently, check Event Logs (ID 4616) for system time changes around the same period, as attackers might temporarily set the system clock back before modifying timestamps. (Note: Sophisticated tools may not require system time changes).

PreviousArtifact and System ManipulationNextHexadecimal File Modification (Hex Editing)

Last updated