Difference between revisions of "Timestomp"

Revision as of 11:40, 25 October 2007 (view source) Cobalt2020 (Talk | contribs) ← Older edit		Revision as of 02:52, 19 April 2008 (view source) .FUF (Talk | contribs) Newer edit →
Line 17:		Line 17:
	== External Links ==		== External Links ==
−	* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Download Timestomp.exe]	+	* [http://metasploit.com/data/antiforensics/timestomp.exe Download Timestomp.exe]
	* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]		* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]
	[[Category:Anti-forensics tools]]		[[Category:Anti-forensics tools]]

---

Revision as of 02:52, 19 April 2008

Timestomp is a utility co-authored by developers James C. Foster and Vincent Liu. The software's goal is to allow for the deletion or modification of time stamp-related information on files.

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.

Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

External Links

• Download Timestomp.exe
• Presentation at Blackhat 2005