|
If you are looking for a quick tool to reset or either alter the creation, written or accessed fields of a file you might want to consider the metasploit anti-forensics timestomp.
This tool is purported to be the first ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified. Not only can this throw off a simple Administrators scan of a directory, it can also confuse a forensics investigator. The syntax of the utility is TimeStomp Usage Information: --------------------------------------------------------- If you mix a lot of options, the behavior is unpredictable. All times should be entered in local time because the utility automatically converts to UTC time. TimeStomp <filename> [options] <filename> the name of the file you wish to modify you may need to surround the full path in "" options: -m <date> M, set the "last written" time of the file
-a <date> A, set the "last accessed" time of the file
-c <date> C, set the "created" time of the file
-e <date> E, set the "mft entry modified" time of the file
-z <date> set all four attributes (MACE) of the file
<date> "DayofWeek Month\Day\Year HH:MM:SS [AM|PM]"
-f <src file> set MACE of <filename> equal to MACE of <src file> time stamps change, but file attributes are unchanged
-b set the MACE timestamps so that EnCase shows blanks
-r same as -b except it works recursively on a directory (aka the Craig option)
-v show the UTC (non-local time) MACE values for <filename>
-h show this menu, help examples: 1) sets the "last written" attribute of targetfile.txt
TimeStomp targetfile.txt -m "Monday 7/25/2005 5:15:55 AM" 2) sets all four MACE attributes of targetfile.txt TimeStomp targetfile.txt -z "Saturday 10/08/2005 2:34:56 PM" 3) set the MACE attributes of targetfile.txt equal to srcfile.exe TimeStomp targetfiletxt -f srcfile.exe 4) set the MACE attributes of targetfile.txt equal to values that EnCase doesn't know how to display TimeStomp targetfile.txt -b 5) show the MACE attributes of targetfile.txt TimeStomp targetfile.txt -v Running the tool was simple enough and the results are clear enough to see how this can cause some forensic examiner some troubles. C:\>dir /ta Volume in drive C has no label. Volume Serial Number is Directory of C:\ 09/19/2006 05:50 PM 0 AUTOEXEC.BAT c:\timestomp c:\autoexec.bat –b To view when the file was supposedly created, after running timestomp use the following: C:\>dir /t:c Volume in drive C has no label. Volume Serial Number is Directory of C:\ 01/01/1601 12:00 AM 0 AUTOEXEC.BAT To view when the file was supposedly Last Access, after running timestomp use the following: C:\>dir /t:a Volume in drive C has no label. Volume Serial Number is Directory of C:\ 01/01/1601 12:00 AM 0 AUTOEXEC.BAT To view when the file was supposedly Last Written, after running timestomp use the following: C:\>dir /t:w Volume in drive C has no label. Volume Serial Number is Directory of C:\ 01/01/1601 12:00 AM 0 AUTOEXEC.BAT Let’s check the date and time: C:\>time The current time is: 18:25:45.21 C:\>date The current date is: Tue 09/19/2006 Given this any time we access a file it should have this date and a time in close proximity to our current time. Now let’s change the time this file was last accessed with the following: C:\>timestomp c:\autoexec.bat -m "Sunday 11/19/2006 12:12:12 PM" The results of our timestomp command are as follows: C:\>dir /t:w Volume in drive C has no label. Volume Serial Number is Directory of C:\
11/19/2006 12:12 PM 0 AUTOEXEC.BAT
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Related Items:
|
