Interacting with file systems often leaves traces, just like walking in the snow. Digital forensics is the art of analyzing these artifacts, but during penetration tests, it can be desirable to make it difficult for forensic analysts to uncover our actions. In this article, we will explore the concept of timestomp, a tool that allows us to manipulate the timestamps of files, enabling us to hide our tracks.
Avoiding Detection: To evade detection during a forensic investigation, the best strategy is to avoid touching the file system altogether. Meterpreter, a powerful tool, operates in memory without writing anything to disk, significantly reducing the traces it leaves behind. However, in certain cases, interaction with the file system becomes necessary. This is where timestomp comes into play.
Understanding Timestamps: Before delving into timestomp, let’s examine the MAC (Modified, Accessed, Changed) times of a file on a system. By looking at the timestamps of a file named “hajus.txt,” we can gain insights into its history:
File Path: C:\Documents and Settings\P0WN3D\My Documents\hajus.txt
Created Date: 22/5/2023 2:30:08 AM
Last Accessed: 22/5/2023 2:31:39 AM
Last Modified: 22/5/2023 2:30:36 AMUsing Timestomp: To illustrate the usage of timestomp, we’ll exploit the system and establish a Meterpreter session. Then, with the timestomp module loaded, we can manipulate the timestamps of files. Let’s explore two scenarios:
- Blending In: Suppose we want the hajus.txt” file to blend in with another file on the system. We can achieve this by setting the MAC times of “hajus.txt” to match those of “cmd.exe” using the command:
meterpreter > timestomp hajus.txt -f C:\\WINNT\\system32\\cmd.exeNow, the modified, accessed, created, and entry modified times of “hajus.txt” will resemble those of “cmd.exe.” This technique helps hide the true age and activity of the file.
- Making Detection Harder: In some cases, blending in is not feasible, and our objective is to obfuscate when changes occurred. Timestomp offers the option to blank out the MAC times of a file using the “-b” flag. For example:
meterpreter > timestomp hajus.txt -v
Modified : Tue Dec 07 08:00:00 -0500 1999
Accessed : Sun May 03 05:16:20 -0400 2009
Created : Tue Dec 07 08:00:00 -0500 1999
Entry Modified: Sun May 03 05:11:16 -0400 2009
meterpreter > timestomp hajus.txt -b
[*] Blanking file MACE attributes on hajus.txt
meterpreter > timestomp hajus.txt -v
Modified : 2106-02-06 23:28:15 -0700
Accessed : 2106-02-06 23:28:15 -0700
Created : 2106-02-06 23:28:15 -0700
Entry Modified: 2106-02-06 23:28:15 -0700After executing this command, the MAC times of “hajus.txt” will be zeroed out, making it challenging for investigators to determine when changes were made. When parsing the MAC times, timestomp now lists them as having been created in the year 2106!. This is very interesting, as some poorly written forensic tools have the same problem, and will crash when coming across entries like this. Let’s see how the file looks in Windows.
File Path: C:\Documents and Settings\P0WN3D\My Documents\hajus.txt
Created Date: 1/1/1601
Last Accessed: 5/3/2009 3:21:13 AM
Last Modified: 1/1/1601Very interesting! but Don’t get so overconfident the detection of timestomping and the subsequent analysis of tampered timestamps can be valuable in a forensic investigation. While timestomping can make it more challenging to determine the exact timeline of events and attribute actions to specific individuals, it does not necessarily guarantee the identification of the attacker on its own.
However, the detection of timestomping can be a crucial piece of evidence that helps investigators in the broader investigation. By identifying tampered timestamps, investigators can focus on other sources of evidence, such as log files, network traffic, system artifacts, or other forensic techniques, to build a comprehensive picture of the attack and potentially identify the attacker.
Conclusion: Timestomp is a valuable tool for manipulating file timestamps during penetration tests. It allows us to either blend in with existing files or make it difficult for investigators to determine when changes occurred. However, it is crucial to understand that manipulating timestamps does not fully erase all traces, as the act of checking file information can alter the last accessed time. Careful consideration and expertise are necessary when dealing with MAC times to ensure effective concealment of digital footprints.
