Timestomp.exe

By Chetan Gupta, NII Consulting
A supposedly nightmarish tool for the investigator community! Recently this tool was released at the metasploit anti-forensics site and is available here.
Like the website mentions, this tool can be a headche for any forensic investigator and a handy tool for any mischevious since it has the ability to change all the four timestamps of NTFS and not only that, it has an option to change the timestamps in such a way that Encase shows blanks.

The syntax of the utility is

TimeStomp #filename# [options]

#filename# – the name of the file you wish to modify you may need to surround the full path in ” ”
Options:

-m #date# M, set the “last written” time of the file
-a #date# A, set the “last accessed” time of the file
-c #date# C, set the “created” time of the file
-e #date# E, set the “mft entry modified” time of the file
-z #date# set all four attributes (MACE) of the file

#date# “DayofWeek MonthDayYear HH:MM:SS [AM|PM]”

-f #src file# set MACE of equal to MACE of time stamps change, but file attributes are unchanged
-b set the MACE timestamps so that EnCase shows blanks
-r same as -b except it works recursively on a directory (aka the Craig option)
-v show the UTC (non-local time) MACE values for #filename#
-h show this menu, help

Running the tool was pretty easy..

C:f-tools> timestomp.exe testfile.txt -z “Thursday 22/06/2006 12:00:01 PM”

This changed all the four NTFS timestamps of the file testfile.txt to the date and time mentioned within the brackets…cool huh??

Verify it with the following command

C:f-tools> timestomp.exe testfile.txt -v

However as soon as you ran this command, you inadvertantly modified the Last Access time of the file to the current time! So use with caution unless you wanna alert the investigator.

However, when run the tool with option -b which is supposed to create MACE values that should defeat Encase, the tools threw back errors! This option was one of the main attractions for me to use this tool.

Also, the option -v show the timstamps in local time format and not in UTC as is mentioned in the help file.

If these options have worked properly for anybody, kindly let me know!

I hope you have fun experimenting with this tool just like I had!
Happy experimentation!

Author


3 comments

when i am using the tool,it says access denied ,can you tell me what is the problem.

Hi Vishwajit,
The problem could be that you are not logged in as administrator or you are trying to change the timestamps of a file that you do not own or have sufficient privileges on!

Chetan

What options did u supply with the -b switch,

http://dfrt.blogspot.com

Leave a Reply

Your email address will not be published. Required fields are marked *