Modify NTFS Timestamps and Cover Your Tracks With Timestomp

Requirements

• Windows XP
• Timestomp.exe
• Hex editor (optional really)
• UPX Packer

Timestomp has the ability to modify or delete the accessed, created, modified and entry modified timestamp values on an NTFS system. These are also known as the MACE attributes or timestamp values. Timestomp was created by two individuals named James Foster and Vincent Liu.

There have been a million articles written on using timestomp.exe. However, the goal of this article is to give some ideas on how to use timestomp and avoid leaving evidence behind that would point to its use.

Step 1

An examiner can be tipped off to timestamp modifications which might lead them to the belief that the timestamps were modified maliciously. An example of this might be an examiner working on a case where a valid .docx document was created in the year 1992 according to timestamps. The .docx format did not exist in 1992, so most examiners should be able to come to the conclusion that the timestamps on this file have been modified.

An initial method of discovering the use of timestomp would be to do a keyword search across the entire hard drive for the string “timestomp.” If you had used it, even from a thumb drive, it should show up somewhere on the hard drive.

This could include a .lnk or link file which are created in places like the recent documents directory when you run a file. Another area some traces will probably end up is unallocated and slack space. This is especially so if you perform a normal deletion of the file or remants of the file move from RAM to the pagefile and then to unallocated space. There is also a Windows prefetch directory which I will explain further.

If someone were planning to use timestomp.exe the very first thing they should do is rename it. Name it something that avoids suspicion, like RUNDLL32.EXE. The real RUNDLL32.exe is a system process and file responsible for loading DLL files into memory and running them.

Windows XP has a “Prefetcher” which stores .pf files in the c:windowsprefetch directory. When an executable is run on Windows XP system, a prefetch file for it is created. Now if you ran timestomp.exe from a thumbdrive thinking you were all sneaky, an examiner would still find this prefetch file that was created when you ran timestomp.

Step 2

You absolutely need to understand that modern forensic software like Encase has the ability to create an MD5 hash of all files on a hard drive. An MD5 hash is like a digital fingerprint.

An examiner can create an MD5 hash of the original timestomp.exe file and then using modern forensics software they can see if that file also exists on the hard drive through a hash comparison process.

So how can this be stopped you ask?

Well, simple. You can take a hex editor and change one byte somewhere in timestomp.exe to then defeat hash comparison and analysis. Remember that doing this without changing the filename defeats the entire hex editing process as a simple “sort by filename” or prefetch analysis will show the use of timestomp on the system.

Step 2 continued – The Sure-fire Method

Use a file packer! What this does is compress or “pack” the file. In the example below you can see that I used UPX, the Ultimate Packer for eXecutables to compress timestomp.exe and output it to a file called rundll32.exe. UPX is free and works great. Using a file packer like this will not only change the MD5 hash that would be generated but it also gets rid of those pesky strings from the help command in timestomp.exe which would give it away.

If timestomp resided on the hard disk being examined, had its filename changed, a bit modified to change the MD5 hash then it could still be found with a keyword search for “timestomp.” This is because that within the executable itself there are numerous strings for the word timestomp. An examiner could then copy out the file and run it to see if it is timestomp.

Finally…

Make your timestamp modifications look legitimate. Like previously stated, you do not want to set the creation date of a certain file to before that file format even existed or other stupid things like that.

Summary

1. Change the filename to something that is not suspicious
2. Pack the file to avoid MD5 and keyword analysis detection
3. Be smart about your timestamp modifications
4. Use common sense about where you store your modified version of timestomp or get rid of it altogether after use

Links to what you need:

• Timestomp
• UPX
• Free Hex Editor

Also, open timestomp.exe in a hex editor and take a look at it before and after packing it with UPX to get a good idea of what has changed.

old comments:

1. BGApril 11, 2009 at 11:08 pmAre there any KFF hash files for timestomp that might flag its use?REPLY
2. markApril 15, 2009 at 2:21 pmI rarely comment on blogs but yours I had to stop and say Great Blog!!REPLY
3. YarApril 15, 2009 at 4:50 pmHey BG, I’m pretty sure there are not. I don’t use FTK really so I can’t be certain but it looks like you can make your own pretty easily. Link (PDF)However, you’d be out of luck if someone brought in a packed/compressed or otherwise modified timestomp.exe into a system. One which you don’t have access to create a hash out of.REPLY
4. TamiMay 1, 2009 at 2:48 pmVery interesting site, Hope it will always be alive!REPLY
5. loadedFebruary 10, 2011 at 1:52 pmI attended a conference last year having to do with digital investigations and remember hearing something about Timestomp setting the times to xx:xx:0000 instead of xx:xx:(random #). Anyone had any experience with this to know if this is accurate or not?REPLY
6. NadjaApril 1, 2011 at 2:40 amThe provided link to the timestomp.exe is not valid anymore. Maybe you want to change that.REPLY
   • adminApril 1, 2011 at 4:25 pmThanks for the heads up  I’ll have to fix the link once metasploit hosts it again. Can’t seem to find it.REPLY