From ForensicsWiki
Revision as of 06:11, 24 November 2008 by Shray (Talk | contribs) (Practical illustration and addition to Timestomp information)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Timestomp MACE Values
Timestomp is a utility co-authored by developers James C. Foster and Vincent Liu. The software's goal is to allow for the deletion or modification of time stamp-related information on files.

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the operating system or manually by the user.

Timestomp MACE Change
Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

Timestomp MACE Change Proof
The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

Timestomp cannot be used directly to modify all 8 time-stamp values, four of which lies in $STANDARD_INFORMATION attribute of an MFT entry, and other four in $FILE_NAME attribute. FN MACE values are intended to be modified by Windows , but still there is an indirect workaround to update those values in order to further frustate anti-forensics.

My findings are concerned with Windows XP SP2 and here is an illustration of those findings.

1) Created c:\test.txt file


2) Changed timestamps using Timestomp

  timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM"
  timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"

3) Pasted that file to some other folder c:\argument\test.txt (Moved )

 $STANDARD_INFORMATION values are copied to $FN MACE values

4) update accessed and modified of $STANDARD_INFORMATION

  timestomp.exe c:\argument\test.txt -m "Saturday 10/08/2005 2:02:02 PM"
  timestomp.exe c:\argument\test.txt -a "Saturday 10/08/2005 2:02:02 PM"

All 8 MACE values are changed, really not sure, this sort of implementation is Operating System specific or just it is global for all Windows version.

External Links