InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Detection of timestomping on ext4 partitions
  1. DFIR
  2. Linux
  3. TTPs analysis

Timestomping

PreviousTTPs analysisNextCloud

Last updated 2 years ago

Overview

Timestomping is the action of modifying the timestamps of a file (on Linux systems, generally on a ext3 or ext4 partition). It can notably be used to evade digital forensic investigation by making malicious files look legitimate or being out of the presupposed attack timeframe.

This technique is identified by .

Linux ext3 / ext4 partitions timestamps

On Linux ext3 partitions each file (and folders) is associated with three timestamps:

  • atime, for access time, which corresponds to the last access to the file (but is in practice not completely reliability updated).

  • mtime, for modification time, which corresponds to the last modification to the file content or addition / renaming / deletion of a file in the folder.

  • ctime, for change time, which corresponds to the last modification to the file or folder's metadata (name, owner, permissions, etc.). If the content of a file / folder is modified, the ctime timestamp is also updated (in addition to the mtime timestamp).

The crtime, for creation time, was introduced on Linux ext4 partitions. This timestamp records the creation / birth time of a file or folder.

Timestomping on Linux systems

Modification of files timestamps are generally conducted on Linux operating systems using the touch built-in utility. This utility can be used to set the mtime and atime timestamps of a file or folder to the current date, arbitrary values, or the timestamps of a file of reference.

The touch utility only can be used to modify the ctime timestamp of a file or folder but only to the current system time. It is thus possible to modify the ctime timestamp of a file or folder by updating the current system time, using touch on the given file or folder, and resetting the system time back to its previous value.

The crtime timestamp of the file or folder is however not updatable by touch. Modifying a file or folder crtime timestamp would require to access the disk image directly (using debugfs for example) which is not doable while the filesystem is mounted.

Files or folders with mtime or ctime timestamps preceding their birth time (crtime timestamp) can thus be indicative of timestomping on ext4 partitions.

Detection of timestomping on ext4 partitions

# Finds on which device reside the specified file or folder.
df <FILE | FOLDER> | (read a; read a b; echo "$a")

# Returns the inode number of the specified file or folder.
stat -c %i <FILE | FOLDER>

# Displays the crtime as well as the ctime, atime, and mtime timestamps of the specified file or folder.
# Note that the <> surrounding the inode number are mandatory.
debugfs -R 'stat <<INODE_NUMBER>>' <DEVICE>
MITRE ATT&CK T1070.006