Requirements
- Windows XP
- Timestomp.exe
- Hex editor (optional really)
- UPX Packer
Timestomp has the ability to modify or delete the accessed, created, modified and entry modified timestamp values on an NTFS system. These are also known as the MACE attributes or timestamp values. Timestomp was created by two individuals named James Foster and Vincent Liu.
There have been a million articles written on using timestomp.exe. However, the goal of this article is to give some ideas on how to use timestomp and avoid leaving evidence behind that would point to its use.
Step 1
An examiner can be tipped off to timestamp modifications which might lead them to the belief that the timestamps were modified maliciously. An example of this might be an examiner working on a case where a valid .docx document was created in the year 1992 according to timestamps. The .docx format did not exist in 1992, so most examiners should be able to come to the conclusion that the timestamps on this file have been modified.
An initial method of discovering the use of timestomp would be to do a keyword search across the entire hard drive for the string “timestomp.” If you had used it, even from a thumb drive, it should show up somewhere on the hard drive.
This could include a .lnk or link file which are created in places like the recent documents directory when you run a file. Another area some traces will probably end up is unallocated and slack space. This is especially so if you perform a normal deletion of the file or remants of the file move from RAM to the pagefile and then to unallocated space. There is also a Windows prefetch directory which I will explain further.
If someone were planning to use timestomp.exe the very first thing they should do is rename it. Name it something that avoids suspicion, like RUNDLL32.EXE. The real RUNDLL32.exe is a system process and file responsible for loading DLL files into memory and running them.
Windows XP has a “Prefetcher” which stores .pf files in the c:\windows\prefetch directory. When an executable is run on Windows XP system, a prefetch file for it is created. Now if you ran timestomp.exe from a thumbdrive thinking you were all sneaky, an examiner would still find this prefetch file that was created when you ran timestomp.
Step 2
You absolutely need to understand that modern forensic software like Encase has the ability to create an MD5 hash of all files on a hard drive. An MD5 hash is like a digital fingerprint.
An examiner can create an MD5 hash of the original timestomp.exe file and then using modern forensics software they can see if that file also exists on the hard drive through a hash comparison process.
So how can this be stopped you ask?
Well, simple. You can take a hex editor and change one byte somewhere in timestomp.exe to then defeat hash comparison and analysis. Remember that doing this without changing the filename defeats the entire hex editing process as a simple “sort by filename” or prefetch analysis will show the use of timestomp on the system.
Step 2 continued – The Sure-fire Method
Use a file packer! What this does is compress or “pack” the file. In the example below you can see that I used UPX, the Ultimate Packer for eXecutables to compress timestomp.exe and output it to a file called rundll32.exe. UPX is free and works great. Using a file packer like this will not only change the MD5 hash that would be generated but it also gets rid of those pesky strings from the help command in timestomp.exe which would give it away.
If timestomp resided on the hard disk being examined, had its filename changed, a bit modified to change the MD5 hash then it could still be found with a keyword search for “timestomp.” This is because that within the executable itself there are numerous strings for the word timestomp. An examiner could then copy out the file and run it to see if it is timestomp.
Finally…
Make your timestamp modifications look legitimate. Like previously stated, you do not want to set the creation date of a certain file to before that file format even existed or other stupid things like that.
Summary
- Change the filename to something that is not suspicious
- Pack the file to avoid MD5 and keyword analysis detection
- Be smart about your timestamp modifications
- Use common sense about where you store your modified version of timestomp or get rid of it altogether after use
Links to what you need:
Also, open timestomp.exe in a hex editor and take a look at it before and after packing it with UPX to get a good idea of what has changed.
Are there any KFF hash files for timestomp that might flag its use?
I rarely comment on blogs but yours I had to stop and say Great Blog!!
Hey BG, I’m pretty sure there are not. I don’t use FTK really so I can’t be certain but it looks like you can make your own pretty easily. Link (PDF)
However, you’d be out of luck if someone brought in a packed/compressed or otherwise modified timestomp.exe into a system. One which you don’t have access to create a hash out of.
Very interesting site, Hope it will always be alive!
[...] information for malicious actors on the tools and methods to modify timestamps is out there already and has [...]