InverseCos

Forensic analysts are often taught two methods for detecting file timestomping that can lead to blind spots in an investigation. The two most well-taught methods for analysts to detect timestomping are: Compare the $STANDARD_INFORMATION timestamps vs the $FILE_NAME timestamps in the Master File Table (MFT) Look for nanoseconds in a timestamp matching “0000000” as this often shows the use of an automated tool (i.e. Metasploit)  These two detection methods are based on two fallacies that I will explore in this blog post: Myth 1: $FILE_NAME timestamps cannot be timestomped  Myth 2:  Attacker tools cannot alter nanoseconds in a timestamp INTRODUCTION TO TIMESTOMPING Timestomping is a technique where the timestamps of a file are modified for defence evasion. Threat actors often perform this technique to blend malicious files with legitimate files so that when an analyst is performing IR, critical evidence escapes detection.  Timestomping using tools like Cobalt Strike (offensive-security to

Registry artifact timestamps are extremely important to an incident response investigation. Threat actors may hide persistence mechanisms within the registry or modify registry values to disable Antivirus and other security tools. Knowing the time registry values are set/modified is very important to the overall investigation, especially when faced with answering questions pertaining to… Why did <security_tool> not detect the threat?  What files did the threat actors recently view? What folders did the threat actors open? When was the persistence mechanism installed in the registry?  And many other questions that are important to an investigation…  The idea of timestomping / time manipulation of a registry key’s ‘Last Write’ is a topic that has not been comprehensively covered in DFIR write-ups with most timestomping write-ups focused on timestomping of files via manipulation of the $STANDARD_INFORMATION time.  There exists a native Windows API “NtSetInformationKey” that allows a