Detections
- Home
- - Detections
- -DT013
- ID: DT013
- Created: 30th May 2024
- Updated: 30th May 2024
- Platform: Windows
- Contributor: The ITM Team
NTFS Timestamp Discrepancy
NTFS timestamps have a precision of 100 nanoseconds. Identifying files with timestamps such as 2023-10-10 10:10:00.000:0000 is considered highly unlikely.
This may represent an anti-forensics technique where the subject has conducted timestomping to hide new files or obscure changes made to existing files.
Sections
ID | Name | Description |
---|---|---|
AF003 | Timestomping | A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.
nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.
Linux has the built-in command
The argument |