Difference between pages "James C. Foster" and "Timestomp"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Initial stub)
 
(New page: {{Expand}} A tool that allows the user to modify all four NTFS timestamps (MACE) values. Developed by James C. Foster and Vincent Liu. Although this program is designed to fru...)
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
[[Category:People]]
+
A tool that allows the user to modify all four [[NTFS]] timestamps (MACE) values. Developed by [[James C. Foster]] and [[Vincent Liu]]. Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program deletes all time stamp information, it is a dead giveaway that something is amiss on the system. Any normal system has at least ''some'' timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something.
 +
 
 +
== External Links ==
 +
* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Timestomp.exe]
 +
* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]
 +
 
 +
[[Category:Anti-forensics tools]]

Revision as of 14:26, 15 April 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A tool that allows the user to modify all four NTFS timestamps (MACE) values. Developed by James C. Foster and Vincent Liu. Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program deletes all time stamp information, it is a dead giveaway that something is amiss on the system. Any normal system has at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something.

External Links