ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT093
  • Created: 27th July 2024
  • Updated: 27th July 2024
  • Platform: Windows
  • Contributors: Joshua Phillips, The ITM Team

MFT and Shimcache Executable Timestamp Comparison

By extracting and comparing timestamps from MFT and Shimcache, it is possible to identify inconsistencies that could represent timestomping in relation to executable files.

 

The Application Compatibility Cache (referred to as Shimcache) records a value for the Last Modified Time when an executable file is last run. The Master File Table (MFT) contains information about every file and directory on an NTFS volume. Each file or directory is represented by an MFT entry, which stores metadata about the file, including modified, accessed, and created timestamps.

 

If the Shimcache timestamp indicates a file was run at a certain time but the MFT shows a different or much later modification timestamp, this would be considered unexpected.

Sections

ID Name Description
AF003Timestomping

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

 

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

 

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.