# Timestomping ## Execution Checking original timestamps of the `nc.exe`: ```csharp .\timestomp.exe .\nc.exe -v ``` ![](/files/-LK6WG-TCbQr8Hbwwovw) Forging the file creation date: ```csharp .\timestomp.exe .\nc.exe -c "Monday 7/25/2005 5:15:55 AM" ``` ![](/files/-LK6WG-YHi2hXvPUJ5pr) Checking the `$MFT` for changes - first of, dumping the `$MFT`: ```csharp .\RawCopy64.exe /FileNamePath:C:\$MFT /OutputName:c:\experiments\mft.dat ``` ![](/files/-LK6WG-abYuMn-zIKjK2) Let's find the `nc.exe` record and check its timestamps: ```csharp Import-Csv .\mft.csv -Delimiter "`t" | Where-Object {$_.Filename -eq "nc.exe"} ``` Note how `fnCreateTime` did not get updated: ![](/files/-LK6WG-cVY_oG0pvC3Oy) For this reason, it is always a good idea to check both `$STANDARD_INFO` and `$FILE_NAME` times during the investigation to have a better chance at detecting timestomping. Note that if we moved the nc.exe file to any other folder on the system and re-parsed the $MFT again, the `fnCreateTime` timestamp would inherit the timestamp from `siCreateTime`: ![](/files/-LK6jKRdTtf1x38GbFCB) ## References {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/defense-evasion/t1099-timestomping.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.