ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT013
  • Created: 30th May 2024
  • Updated: 30th May 2024
  • Platform: Windows
  • Contributor: The ITM Team

NTFS Timestamp Discrepancy

NTFS timestamps have a precision of 100 nanoseconds. Identifying files with timestamps such as 2023-10-10 10:10:00.000:0000 is considered highly unlikely.

This may represent an anti-forensics technique where the subject has conducted timestomping to hide new files or obscure changes made to existing files.

Sections

ID Name Description
AF003Timestomping

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

 

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

 

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.