offensive security
Timestomping
Defense Evasion
Execution
Checking original timestamps of the
nc.exe:1
.\timestomp.exe .\nc.exe -v
Copied!
Forging the file creation date:
1
.\timestomp.exe .\nc.exe -c "Monday 7/25/2005 5:15:55 AM"
Copied!
Checking the
$MFT for changes - first of, dumping the $MFT:1
.\RawCopy64.exe /FileNamePath:C:\$MFT /OutputName:c:\experiments\mft.dat
Copied!
Let's find the
nc.exe record and check its timestamps:1
Import-Csv .\mft.csv -Delimiter "`t" | Where-Object {$_.Filename -eq "nc.exe"}
Copied!
Note how
fnCreateTime did not get updated:
For this reason, it is always a good idea to check both
$STANDARD_INFO and $FILE_NAME times during the investigation to have a better chance at detecting timestomping.Note that if we moved the nc.exe file to any other folder on the system and re-parsed the $MFT again, the
fnCreateTime timestamp would inherit the timestamp from siCreateTime:
References
https://www.forensicswiki.org/wiki/Timestomp
www.forensicswiki.org
https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
digital-forensics.sans.org
Indicator Removal on Host: Timestomp, Sub-technique T1070.006 - Enterprise | MITRE ATT&CK®
Last modified 3yr ago
Copy link