Detections
- Home
- - Detections
- -DT093
- ID: DT093
- Created: 27th July 2024
- Updated: 27th July 2024
- Platform: Windows
- Contributors: Joshua Phillips, The ITM Team
MFT and Shimcache Executable Timestamp Comparison
By extracting and comparing timestamps from MFT and Shimcache, it is possible to identify inconsistencies that could represent timestomping in relation to executable files.
The Application Compatibility Cache (referred to as Shimcache) records a value for the Last Modified Time when an executable file is last run. The Master File Table (MFT) contains information about every file and directory on an NTFS volume. Each file or directory is represented by an MFT entry, which stores metadata about the file, including modified, accessed, and created timestamps.
If the Shimcache timestamp indicates a file was run at a certain time but the MFT shows a different or much later modification timestamp, this would be considered unexpected.
Sections
ID | Name | Description |
---|---|---|
AF003 | Timestomping | A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.
nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.
Linux has the built-in command
The argument |