Anti-Forensics
Account Misuse
Clear Browser Artifacts
Clear Email Artifacts
Code Contribution Obfuscation and Misrepresentation
Decrease Privileges
Delayed Execution Triggers
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Hiding or Destroying Command History
Log Deletion
Log Modification
Message Deletion
Modify Windows Registry
Network Obfuscation
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Stalling
Steganography
System Shutdown
System Time Modification
Timestomping
Tripwires
Uninstalling Software
Virtualization
- ID: AF032.003
- Created: 04th May 2026
- Updated: 04th May 2026
- Platform: MacOS
- Contributor: The ITM Team
macOS System Time Modification
A subject modifies the macOS system date, time, time zone, network time configuration, or time server settings to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file system artifacts, application activity, shell commands, authentication events, endpoint telemetry, browser history, document access, and other evidence used to reconstruct subject activity.
On macOS systems, this behavior may involve manual changes through System Settings or command-line modification using administrative utilities such as systemsetup or date. The subject may also disable automatic time synchronization, alter the configured network time server, or change the system time zone to introduce ambiguity into local timestamps.