# Timestomping ### Overview Timestomping is the action of modifying the timestamps of a file (on Linux systems, generally on a `ext3` or `ext4` partition). It can notably be used to evade digital forensic investigation by making malicious files look legitimate or being out of the presupposed attack timeframe. This technique is identified by [MITRE ATT\&CK T1070.006](https://attack.mitre.org/techniques/T1070/006/). **Linux ext3 / ext4 partitions timestamps** On Linux `ext3` partitions each file (and folders) is associated with three timestamps: * `atime`, for `access time`, which corresponds to the last access to the file (but is in practice not completely reliability updated). * `mtime`, for `modification time`, which corresponds to the last modification to the file content or addition / renaming / deletion of a file in the folder. * `ctime`, for `change time`, which corresponds to the last modification to the file or folder's metadata (name, owner, permissions, etc.). If the content of a file / folder is modified, the `ctime` timestamp is also updated (in addition to the `mtime` timestamp). The `crtime`, for `creation time`, was introduced on Linux `ext4` partitions. This timestamp records the creation / birth time of a file or folder. **Timestomping on Linux systems** Modification of files timestamps are generally conducted on Linux operating systems using the `touch` built-in utility. This utility can be used to set the `mtime` and `atime` timestamps of a file or folder to the current date, arbitrary values, or the timestamps of a file of reference. The `touch` utility only can be used to modify the `ctime` timestamp of a file or folder but only to the current system time. It is thus possible to modify the `ctime` timestamp of a file or folder by updating the current system time, using `touch` on the given file or folder, and resetting the system time back to its previous value. **The `crtime` timestamp of the file or folder is however not updatable by `touch`.** Modifying a file or folder `crtime` timestamp would require to access the disk image directly (using `debugfs` for example) which is not doable while the filesystem is mounted. Files or folders with `mtime` or `ctime` timestamps preceding their birth time (`crtime` timestamp) can thus be indicative of timestomping on `ext4` partitions. ### Detection of timestomping on ext4 partitions ```bash # Finds on which device reside the specified file or folder. df | (read a; read a b; echo "$a") # Returns the inode number of the specified file or folder. stat -c %i # Displays the crtime as well as the ctime, atime, and mtime timestamps of the specified file or folder. # Note that the <> surrounding the inode number are mandatory. debugfs -R 'stat <>' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/dfir/linux/ttps_analysis/timestomping.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.