search

Timestomping

Defense Evasion

hashtag
Execution

Checking original timestamps of the nc.exe:

.\timestomp.exe .\nc.exe -v

Forging the file creation date:

Checking the $MFT for changes - first of, dumping the $MFT:

Let's find the nc.exe record and check its timestamps:

Note how fnCreateTime did not get updated:

For this reason, it is always a good idea to check both $STANDARD_INFO and $FILE_NAME times during the investigation to have a better chance at detecting timestomping.

Note that if we moved the nc.exe file to any other folder on the system and re-parsed the $MFT again, the fnCreateTime timestamp would inherit the timestamp from siCreateTime:

hashtag
References

https://www.forensicswiki.org/wiki/Timestompwww.forensicswiki.orgchevron-right
LogoDigital Forensics and Incident Response Training | SANS InstituteSANS Institutechevron-right
LogoIndicator Removal: Timestomp, Sub-technique T1070.006 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right
PreviousFile Smuggling with HTML and JavaScriptNextAlternate Data Streams

Last updated