If you are looking for a quick tool to reset or either alter the creation, written or accessed fields of a file you might want to consider the metasploit anti-forensics timestomp.
This tool is purported to be the first ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified. Not only can this throw off a simple Administrators scan of a directory, it can also confuse a forensics investigator.
The syntax of the utility is TimeStomp Usage Information:
———————————————————
If you mix a lot of options, the behavior is unpredictable. All times should be entered in local time because the utility automatically converts to UTC time.
TimeStomp [options]
the name of the file you wish to modify you may need to surround the full path in \”\”
options:
-m M, set the \”last written\” time of the file
-a A, set the \”last accessed\” time of the file
-c C, set the \”created\” time of the file
-e E, set the \”mft entry modified\” time of the file
-z set all four attributes (MACE) of the file
\”DayofWeek Month\\Day\\Year HH:MM:SS [AM|PM]\”
-f set MACE of equal to MACE of time stamps change, but file attributes are unchanged
-b set the MACE timestamps so that EnCase shows blanks
-r same as -b except it works recursively on a directory (aka the Craig option)
-v show the UTC (non-local time) MACE values for -h show this menu, help
examples:
1) sets the \”last written\” attribute of targetfile.txt
TimeStomp targetfile.txt -m \”Monday 7/25/2005 5:15:55 AM\”
2) sets all four MACE attributes of targetfile.txt
TimeStomp targetfile.txt -z \”Saturday 10/08/2005 2:34:56 PM\”
3) set the MACE attributes of targetfile.txt equal to srcfile.exe
TimeStomp targetfiletxt -f srcfile.exe
4) set the MACE attributes of targetfile.txt equal to values that EnCase doesn\’t know how to display
TimeStomp targetfile.txt -b
5) show the MACE attributes of targetfile.txt
TimeStomp targetfile.txt -v
Running the tool was simple enough and the results are clear enough to see how this can cause some forensic examiner some troubles.
C:\\>dir /ta
Volume in drive C has no label.
Volume Serial Number is
Directory of C:\\
09/19/2006 05:50 PM 0 AUTOEXEC.BAT
c:\\timestomp c:\\autoexec.bat –b
To view when the file was supposedly created, after running timestomp use the following:
C:\\>dir /t:c
Volume in drive C has no label.
Volume Serial Number is
Directory of C:\\
01/01/1601 12:00 AM 0 AUTOEXEC.BAT
To view when the file was supposedly Last Access, after running timestomp use the following:
C:\\>dir /t:a
Volume in drive C has no label.
Volume Serial Number is
Directory of C:\\
01/01/1601 12:00 AM 0 AUTOEXEC.BAT
To view when the file was supposedly Last Written, after running timestomp use the following:
C:\\>dir /t:w
Volume in drive C has no label.
Volume Serial Number is
Directory of C:\\
01/01/1601 12:00 AM 0 AUTOEXEC.BAT
Let’s check the date and time:
C:\\>time
The current time is: 18:25:45.21
C:\\>date
The current date is: Tue 09/19/2006
Given this any time we access a file it should have this date and a time in close proximity to our current time.
Now let’s change the time this file was last accessed with the following:
C:\\>timestomp c:\\autoexec.bat -m \”Sunday 11/19/2006 12:12:12 PM\”
The results of our timestomp command are as follows:
C:\\>dir /t:w
Volume in drive C has no label.
Volume Serial Number is
Directory of C:\\
11/19/2006 12:12 PM 0 AUTOEXEC.BAT