A common anti-forensic technique Kroll has observed during incident response engagements is timestomping. Timestomping refers to the alteration of timestamps of a file on an NTFS file system. This tactic is commonly utilized by threat actors to hide their tools on the victim’s file system. This is accomplished by making files appear to have been created outside the incident timeframe, often by years, and could lead to important artifacts being more difficult for examiners to find or missed entirely.
Why Is It Important to Identify?
It is imperative during incident response investigations for examiners to review the contents of compromised hosts to detect potentially malicious files. This includes paying special attention to common NTFS metadata files, including but not limited to the $MFT. The $MFT contains multiple timestamps for each file and folder on the file system of the compromised host. Evidence of timestomping can be observed by analyzing the differences in 0x10 and 0x30 timestamps found within the $MFT.
How Is Timestomping Used?
Threat actors often use timestomping to modify the NTFS timestamps of their tools, related outputs and potentially created files containing staged data to conceal their files from incident response efforts during the Internal Scouting and Toolkit Deployment steps of the Kroll Intrusion Lifecycle. This includes Modified, Accessed, Changed and Birth (MACB) times. Timestomping can be accomplished using many tools, including PowerShell, Total Commander, SKTimeStamp, ChangeTimestamp, SetMace and NewFileTime.
Key Indicators of Timestomping
There are a few key indicators that could point to timestomping when looking for malicious files. These include:
- When the subseconds in the $MFT’s 0x10 timestamps is .000000
- If the 0x10 timestamp appears to occur before a 0x30 $MFT timestamp
- If the context of a file relating to its name, parent folder or other file details is inconsistent
In this series, Kroll experts will dive into an example of timestomping, what it can look like from the threat actor’s perspective and how to detect it and interpret the results.
Read more about Timestomping in our Sophisticated Anti-Forensic Tactics and How To Spot Them series.
Related Articles
- Timestomping a File with NewFileTime
- Detecting and Analyzing Timestomping Using KAPE and Timeline Explorer - $MFT
- Identifying Indicators of Timestomping with .LNK files