Comments on: Modify NTFS Timestamps and Cover Your Tracks With Timestomp.exe

By: admin

admin — Sat, 02 Apr 2011 00:25:44 +0000

Thanks for the heads up I’ll have to fix the link once metasploit hosts it again. Can’t seem to find it.

By: Nadja

Nadja — Fri, 01 Apr 2011 10:40:51 +0000

The provided link to the timestomp.exe is not valid anymore. Maybe you want to change that.

By: loaded

loaded — Thu, 10 Feb 2011 21:52:22 +0000

I attended a conference last year having to do with digital investigations and remember hearing something about Timestomp setting the times to xx:xx:0000 instead of xx:xx:(random #). Anyone had any experience with this to know if this is accurate or not?

By: Benefits of using multiple timestamps during timeline analysis in digital forensics | Portable Digital Video Recorder

Wed, 18 Aug 2010 16:54:22 +0000

[...] information for malicious actors on the tools and methods to modify timestamps is out there already and has [...]

By: Tami

Tami — Fri, 01 May 2009 22:48:57 +0000

Very interesting site, Hope it will always be alive!

By: Yar

Yar — Thu, 16 Apr 2009 00:50:24 +0000

Hey BG, I’m pretty sure there are not. I don’t use FTK really so I can’t be certain but it looks like you can make your own pretty easily. Link (PDF)

However, you’d be out of luck if someone brought in a packed/compressed or otherwise modified timestomp.exe into a system. One which you don’t have access to create a hash out of.

By: mark

mark — Wed, 15 Apr 2009 22:21:31 +0000

I rarely comment on blogs but yours I had to stop and say Great Blog!!

By: BG

BG — Sun, 12 Apr 2009 07:08:42 +0000

Are there any KFF hash files for timestomp that might flag its use?