By Chetan Gupta, NII Consulting
A supposedly nightmarish tool for the investigator community! Recently this tool was released at the metasploit anti-forensics site and is available here.
Like the website mentions, this tool can be a headche for any forensic investigator and a handy tool for any mischevious since it has the ability to change all the four timestamps of NTFS and not only that, it has an option to change the timestamps in such a way that Encase shows blanks.
The syntax of the utility is
TimeStomp #filename# [options]
#filename# – the name of the file you wish to modify you may need to surround the full path in ” ”
-m #date# M, set the “last written” time of the file
-a #date# A, set the “last accessed” time of the file
-c #date# C, set the “created” time of the file
-e #date# E, set the “mft entry modified” time of the file
-z #date# set all four attributes (MACE) of the file
#date# “DayofWeek MonthDayYear HH:MM:SS [AM|PM]”
-f #src file# set MACE of equal to MACE of time stamps change, but file attributes are unchanged
-b set the MACE timestamps so that EnCase shows blanks
-r same as -b except it works recursively on a directory (aka the Craig option)
-v show the UTC (non-local time) MACE values for #filename#
-h show this menu, help
Running the tool was pretty easy..
C:f-tools> timestomp.exe testfile.txt -z “Thursday 22/06/2006 12:00:01 PM”
This changed all the four NTFS timestamps of the file testfile.txt to the date and time mentioned within the brackets…cool huh??
Verify it with the following command
C:f-tools> timestomp.exe testfile.txt -v
However as soon as you ran this command, you inadvertantly modified the Last Access time of the file to the current time! So use with caution unless you wanna alert the investigator.
However, when run the tool with option -b which is supposed to create MACE values that should defeat Encase, the tools threw back errors! This option was one of the main attractions for me to use this tool.
Also, the option -v show the timstamps in local time format and not in UTC as is mentioned in the help file.
If these options have worked properly for anybody, kindly let me know!
I hope you have fun experimenting with this tool just like I had!
Experience of over a decade in the IT and CyberSecurity domain. A cyber-detective by nature,
and has solved numerous cyberattack-cases during his tenure at Network Intelligence. When not solving cybercrimes, he enjoys video-games and photography.