What is Time stomping?
Time stomping is a prevalent anti-forensic technique encountered in incident response matters. The manipulation of timestamps, specifically the MACB (Modified, Access, Change, Birth) timestamps on an NTFS file system, serves as a means to conceal tools or their outputs from incident responders. Time stopping is not exclusive to malicious activities, as legitimate users may employ it to preserve timestamps for historical files. But investigation is Must
Detection Methods:
Compare Timestamps:
Analyze discrepancies between $FILE_NAME and $STANDARD_INFORMATION Sub-Second Resolution:
Detect zeroed fractional seconds, indicating potential timestamp manipulation. ShimCache Comparison:
Compare ShimCache timestamps with file modification times to detect anomalies. Directory Index Examination:
Analyze directory indexes ($I30) for stale entries with older timestamps, indicating possible backdating.
Investigation with Kape.
The investigative process using Kape, where acquiring the Master File Table (MFT), the $J (USN Journal), and link files is essential. Kape triage compound target, showcasing snippets of the MFT, $J, and link files targets. The output structure of Kape, with raw files and parsed outputs, is detailed, emphasizing the efficiency of this workflow in gathering artifacts for analysis.
All anti forensic tool have one thing in common they only modify $SI Timestamp. They do not modify the $FN time stamp. So comparing these two time stamp in timeline explorer can help to identify time stopping
Timeline Explorer and Real-Life Examples
Timeline Explorer as an indispensable tool for incident response examiners, particularly for analyzing CSV outputs. The tool, developed by Eric Zimmerman, is praised for its ability to handle large CSV files, surpassing the limitations of Excel.
Timestamps
These time stamps are which accessible by windows API
These time stamps are accessible by windows kernel
Time stomping in $J
2. Time Stomping in $MFT**(Very Important)
If you see screenshot attacker time stomped the eviloutput.txt they changed timestamp(0x10) to 2005 using anti forensic tool but as anti forensic tool do not modify (0x30) which is showing they original timestamp when file is created
3. Another example
1 MFT Time stomping analyses using Lnk Files:
Capture Lnk Files and parse the lnk file using LECmd.exe
Lets understand:
I have created a file name akash.txt, no lnk file is created yet (As i did not open the file)
I have opened the file akash.txt and lnk file will be created first time
Example with image:
When file created file (no link file exist yet) because not open it
2. Performed time stomped but did not opened file so that’s why time is same as previous one.
3. File opened and lnk file created
4. Performed time stomped again on file but did not opened it that means lnk file is not updated
Lnk file will refresh only if time stomped happened and file is opened.
Now keep in mind as normal there might be False positive while analyzing the $MFT for time stomped this thing must be understand by analyst
Screen connect example of timestomp:
conclusion
understanding NTFS timestamps and their behavior, along with registry settings and forensic analysis techniques, is crucial for identifying file manipulation, detecting potential tampering, and conducting thorough investigations.
Akash Patel
Comments