Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the operating system or manually by the user.
Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.
A Practical Example
Timestomp cannot be used directly to modify all (on average) 8 timestamp values in the MFT entry; 4 in $STANDARD_INFORMATION attribute and 4 in $FILE_NAME attribute. The $FILE_NAME attribute MACE values are intended to be modified by Windows, but still there is an indirect workaround to update those values in order to further frustrate forensics.
1) Create file (c:\test.txt)
2) Change timestamps using Timestomp
timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM" timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"
3) Move that file to another folder (c:\argument\test.txt)
4) Update accessed and modified timestamps in $STANDARD_INFORMATION
timestomp.exe c:\argument\test.txt -m "Saturday 10/08/2005 2:02:02 PM" timestomp.exe c:\argument\test.txt -a "Saturday 10/08/2005 2:02:02 PM"