Sophisticated Anti-Forensic Tactics and How To Spot Them

Mon, Jun 13, 2022

Anti-Forensics: Timestomping Overview

A common anti-forensic technique Kroll has observed during incident response engagements is timestomping. Timestomping refers to the alteration of timestamps of a file on an NTFS file system. This tactic is commonly utilized by threat actors to hide their tools on the victim’s file system. This is accomplished by making files appear to have been created outside the incident timeframe, often by years, and could lead to important artifacts being more difficult for examiners to find or missed entirely.

Why Is It Important to Identify?

It is imperative during incident response investigations for examiners to review the contents of compromised hosts to detect potentially malicious files. This includes paying special attention to common NTFS metadata files, including but not limited to the $MFT. The $MFT contains multiple timestamps for each file and folder on the file system of the compromised host. Evidence of timestomping can be observed by analyzing the differences in 0x10 and 0x30 timestamps found within the $MFT. 

How Is Timestomping Used?

Threat actors often use timestomping to modify the NTFS timestamps of their tools, related outputs and potentially created files containing staged data to conceal their files from incident response efforts during the Internal Scouting and Toolkit Deployment steps of the Kroll Intrusion Lifecycle. This includes Modified, Accessed, Changed and Birth (MACB) times. Timestomping can be accomplished using many tools, including PowerShell, Total Commander, SKTimeStamp, ChangeTimestamp, SetMace and NewFileTime.

Key Indicators of Timestomping

There are a few key indicators that could point to timestomping when looking for malicious files. These include:

  • When the subseconds in the $MFT’s 0x10 timestamps is .000000
  • If the 0x10 timestamp appears to occur before a 0x30 $MFT timestamp
  • If the context of a file relating to its name, parent folder or other file details is inconsistent

In this series, Kroll experts will dive into an example of timestomping, what it can look like from the threat actor’s perspective and how to detect it and interpret the results.

Read more about Timestomping in our Sophisticated Anti-Forensic Tactics and How To Spot Them series.

Related Articles

 
Stay Ahead with Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Kroll Artifact Parser And Extractor (KAPE)

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Computer Forensics

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Recovery and Forensic Analysis

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Data Collection and Preservation

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Incident Remediation and Recovery Services

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.

Incident Response and Litigation Support
Explore insights
Bumblebee Loader Linked to Conti and Used In Quantum Locker Attacks
Cyber

Bumblebee Loader Linked to Conti and Used In Quantum Locker Attacks

June 6, 2022

by George Glass

Bumblebee Loader Linked to Conti and Used In Quantum Locker Attacks
ModPipe POS Malware: New Hooking Targets Extract Card Data
Cyber

ModPipe POS Malware: New Hooking Targets Extract Card Data

June 2, 2022

by Sean Straw

ModPipe POS Malware: New Hooking Targets Extract Card Data
Q1 2022 Threat Landscape: Threat Actors Target Email for Access and Extortion
Cyber

Q1 2022 Threat Landscape: Threat Actors Target Email for Access and Extortion

May 18, 2022

by Laurie Iacono, Keith Wojcieszek, George Glass

Q1 2022 Threat Landscape: Threat Actors Target Email for Access & Extortion
KAPE Quarterly Update - Q1 2022
Cyber

KAPE Quarterly Update - Q1 2022

April 27, 2022

by Eric Zimmerman

KAPE Quarterly Update – Q1 2022

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top