Difference between pages "James C. Foster" and "Timestomp"
From Forensics Wiki
(Difference between pages)
(Initial stub) |
(New page: {{Expand}} A tool that allows the user to modify all four NTFS timestamps (MACE) values. Developed by James C. Foster and Vincent Liu. Although this program is designed to fru...) |
||
| Line 1: | Line 1: | ||
{{Expand}} | {{Expand}} | ||
| − | [[Category: | + | A tool that allows the user to modify all four [[NTFS]] timestamps (MACE) values. Developed by [[James C. Foster]] and [[Vincent Liu]]. Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program deletes all time stamp information, it is a dead giveaway that something is amiss on the system. Any normal system has at least ''some'' timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. |
| + | |||
| + | == External Links == | ||
| + | * [http://www.metasploit.com/projects/antiforensics/timestomp.exe Timestomp.exe] | ||
| + | * [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005] | ||
| + | |||
| + | [[Category:Anti-forensics tools]] | ||
Revision as of 13:26, 15 April 2007
|
|
Please help to improve this article by expanding it.
|
A tool that allows the user to modify all four NTFS timestamps (MACE) values. Developed by James C. Foster and Vincent Liu. Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program deletes all time stamp information, it is a dead giveaway that something is amiss on the system. Any normal system has at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something.
