# Timestomping

**Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on:** [**artefacts.help**](https://artefacts.help/)**.**

### Overview

Timestomping is the action of modifying the timestamps of a file (on Windows systems, on a `NTFS` partition). It can notably be used to evade digital forensic investigation by making malicious files look legitimate or being out of the presupposed attack timeframe.

This technique is identified by [MITRE ATT\&CK T1070.006](https://attack.mitre.org/techniques/T1070/006/).

The `MACB` timestamps in the `$STANDARD_INFORMATION` attributes can be modified by standard users while the `$FILENAME` attributes can only be modified by / through the Windows kernel. The modification of a file `$STANDARD_INFORMATION` attribute requires the rights to modify the file attributes (`FullControl`, `Modify`, `Write`, `WriteAttributes`) which is granted by default to the file owner.

Note that in addition to being the ones that can be easily modified, the `MACB` timestamps from the `$STANDARD_INFORMATION` attribute are conveniently the ones (generally) displayed by the `Windows Explorer`.

For more information on Windows timestamps, refer to the `[DFIR] Windows - Artefacts - Timestamps` note.

### Timestomping detection

Most of timestomping detections below rely on information stored in the `$MFT` file. Refer to the `[DFIR] Windows - MFT` note for more information on how to parse the `$MFT` artefact.

**MFT $STANDARD\_INFORMATION vs $FILENAME**

Timestomping can be detected by comparing the `$STANDARD_INFORMATION` and `$FILENAME` timestamps of a given file in the `MFT`. Indeed, if the timestamps from `$STANDARD_INFORMATION` (easily modifiable) are older than the `$FILENAME` timestamps (not (easily) modifiable), the file timestamps may have been timestomped.

\*\***However, as the `$FILENAME`** **`MAB` timestamps are updated / copied from the `$STANDARD_INFORMATION`** **`MAB` timestamps on file rename or volume-local file move, `$FILENAME` timestamps can also be (undirectly) tampered.**

Additionally, This detection method is however prone to false-positives as some applications or installers may modify the `$STANDARD_INFORMATION` timestamps.

`MFTECmd` can be used to parse the `MFT` of a `NTFS` volume and automatically highlight the files having `$STANDARD_INFORMATION` timestamps older than their `$FILENAME` timestamps.

**UsnJrnl records**

Data from the `UsnJrnl` artefact may reveal recent operations on timestomped files. For instance, a `USN_REASON_FILE_CREATE` record logged in the `UsnJrnl` for a seemingly older file could be an indicator of timestomping.

Additionally, an `USN_REASON_BASIC_INFO_CHANGE` (+ `USN_REASON_CLOSE`) record would be logged in the `UsnJrnl` following the timestomping of a file. The presence of such indicator is however not necessarily a strong indicator of timestomping as many other attributes change would also trigger a similar record to be logged in the `UsnJrnl`.

This detection method is however prone to false-negatives as the `UsnJrnl` has usually limited historical data.

Refer to the `[DFIR] Windows - UsnJrnl` note for more information on how to parse the `UsnJrnl` artefact.

**MFT $STANDARD\_INFORMATION timestamps precision**

The timestomping tool used may have limitation on the time precision they it for timestomped timestamps. For example, the tool may only allow precision down to the second level, while the `$STANDARD_INFORMATION` timestamps are precise down to the ten millionths of a second. In such case, the timestomped timestamps will be padded with zeros in place of the actual milli-seconds: `YYYY-MM-DD hh:mm:ss.0000000`.

This detection method is however prone to false-positives as some utilities or file formats, such as file-archives, may truncate timestamps down the second level.

**MFT entry numbers**

`$MFT` entry numbers grow sequentially, with older files generally having lower entry numbers than more recent files. The `$MFT` entry numbers should thus grow linearly with the `$STANDARD_INFORMATION` created / birth timestamp (with usual exceptions in the days-range: files older by a few days may have slightly higher entry numbers than relatively more recent files).

This detection method is however prone to false-positives as `$MFT` entry numbers of deleted files may be re-used (especially for `NTFS` partitions on SSDs).

***

### References

<https://dfir.ru/2021/01/10/standard\\_information-vs-file\\_name/>

<https://medium.com/@bromiley/a-journey-into-ntfs-part-4-f2865c39ac83>

<https://www.andreafortuna.org/2017/10/06/macb-times-in-windows-forensic-analysis/>

<https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download>

<https://www.sans.org/blog/digital-forensics-detecting-time-stamp-manipulation/>

<https://www.osforensics.com/faqs-and-tutorials/how-to-scan-ntfs-i30-entries-deleted-files.html>

<https://alexsta-cybersecurity.com/how-to-detect-timestomping-on-a-windows-system/>

<https://www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/>

<https://www.youtube.com/watch?v=XzoYNOlJ37s>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/dfir/windows/ttps_analysis/timestomping.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.