First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.


Download - [http://metasploit.com/projects/antiforensics/timestomp.zip]

Source - [ http://metasploit.com/projects/antiforensics/ ]

Wow, a good list of tools there


Timestomp - First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.

Slacker - First ever tool that allows you to hide files within the slack space of the NTFS file system.

Transmogrify - First ever tool to defeat EnCase's file signaturing capabilities by allowing you to mask and unmask your files as any file type. (Coming Soon)

Sam Juicer - A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk. (Coming Soon)


Thanks

Just curious... but what LEGITIMATE use could this tool have?
Besides "research" or trying to hide your actions or frame someone?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269947#post854655) by phishphreek80
Just curious... but what LEGITIMATE use could this tool have?
Besides "research" or trying to hide your actions or frame someone?
Education.
You can use timestomp in a classroom trying to show how hard can be follow intruders footprints :)

Just curious... but what LEGITIMATE use could this tool have?

I was wondering the same thing.

It would seem the existance of a tool like this would be enough to raise reasonable doubt in a trial.

ttau: thats exactly what I was thinking... hense my "or frame someone".
This tools existance could certainly raise reasonable doubt... espeically if it is easily found on the PC...

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269947#post854655) by phishphreek80
Just curious... but what LEGITIMATE use could this tool have?
Besides "research" or trying to hide your actions or frame someone?
Mainly for user awareness, i think u haven't gone through one of the presentations present there. The presentation is quite interesting describing various techniques and then anti techniques
Presentation:http://metasploit.com/projects/antiforensics/BH2005-Catch_Me_If_You_Can.ppt

The glove doesn't fit, raised reasonable doubt, an obviously guilty killer walks free, there are no legitimate reasons for a program like this to exist, nothing becomes provable, what do you do when you can't trust the information sitting right in front of you? What are the defences to this? If there are any. The people that come up with these kind of things are obviously way above average intelligence, what a waste, go find a cure for cancer or something.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269947#post854737) by ttau
The glove doesn't fit, raised reasonable doubt, an obviously guilty killer walks free, there are no legitimate reasons for a program like this to exist, nothing becomes provable, what do you do when you can't trust the information sitting right in front of you? What are the defences to this? If there are any. The people that come up with these kind of things are obviously way above average intelligence, what a waste, go find a cure for cancer or something.

you are 100% right but on the other hand if there are weakness in our defences and we are so much relying on that, hence it is giving us a false sense of security. There must be other ways to tackle such problems as 'Necessity is the mother of invention'. I totally agree with ur point as it is not a proper way to release out such information in a wild. But instead we blame them we have to make our defences strong.


Thanks

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269947#post854736) by mmkhan
Mainly for user awareness, i think u haven't gone through one of the presentations present there. The presentation is quite interesting describing various techniques and then anti techniques
Presentation:http://metasploit.com/projects/antiforensics/BH2005-Catch_Me_If_You_Can.ppt

You're right... I was blocked by websense when I was reading this at work.
I hate that ****ing thing! :(

Interesting bit on timestomp. The thing is, timestamps have always been a hard thing to base an investigation off of or even use in one. touch, perl-fu..pick any ol' way you want to modify a time stamp and you can do it. The nice thing is that this tool hits the MFT entry time(or E as they call it) as well.
The presentation was very well done and incredibly true. I can only hope that vendors are paying attention to the work these guys are doing. One thing they didn't mention, was TSK or any linux based tools.

Fooling signature detection was an interesting piece. It may fool the casual observer, but the MZ in an exe isn't the only piece in a header of an executable that's used to detect it. it's typically the default used in the magic file but that's not the only indicator. In addition, I would imagine that tools that sort by mismatched extensions and the output of `file` with a specific magic file would take care of this issue.
I'll have to play around with FTK and other tools and transmogrify when it's released.