Mon, Jun 13, 2022

Anti-Forensics: Timestomping Overview

A common anti-forensic technique Kroll has observed during incident response engagements is timestomping. Timestomping refers to the alteration of timestamps of a file on an NTFS file system. This tactic is commonly utilized by threat actors to hide their tools on the victim’s file system. This is accomplished by making files appear to have been created outside the incident timeframe, often by years, and could lead to important artifacts being more difficult for examiners to find or missed entirely.

Why Is It Important to Identify?

It is imperative during incident response investigations for examiners to review the contents of compromised hosts to detect potentially malicious files. This includes paying special attention to common NTFS metadata files, including but not limited to the $MFT. The $MFT contains multiple timestamps for each file and folder on the file system of the compromised host. Evidence of timestomping can be observed by analyzing the differences in 0x10 and 0x30 timestamps found within the $MFT. 

How Is Timestomping Used?

Threat actors often use timestomping to modify the NTFS timestamps of their tools, related outputs and potentially created files containing staged data to conceal their files from incident response efforts during the Internal Scouting and Toolkit Deployment steps of the Kroll Intrusion Lifecycle. This includes Modified, Accessed, Changed and Birth (MACB) times. Timestomping can be accomplished using many tools, including PowerShell, Total Commander, SKTimeStamp, ChangeTimestamp, SetMace and NewFileTime.

Key Indicators of Timestomping

There are a few key indicators that could point to timestomping when looking for malicious files. These include:

  • When the subseconds in the $MFT’s 0x10 timestamps is .000000
  • If the 0x10 timestamp appears to occur before a 0x30 $MFT timestamp
  • If the context of a file relating to its name, parent folder or other file details is inconsistent

In this series, Kroll experts will dive into an example of timestomping, what it can look like from the threat actor’s perspective and how to detect it and interpret the results.

Read more about Timestomping in our Sophisticated Anti-Forensic Tactics and How To Spot Them series.

Related Articles

 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.


24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.


Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.