Timestomp - Change NTFS Timestamp values

[phishphreek]

Originally posted here by mmkhan
Mainly for user awareness, i think u haven't gone through one of the presentations present there. The presentation is quite interesting describing various techniques and then anti techniques
Presentation:http://metasploit.com/projects/antif...If_You_Can.ppt

You're right... I was blocked by websense when I was reading this at work.
I hate that ****ing thing!

[hogfly]

Interesting bit on timestomp. The thing is, timestamps have always been a hard thing to base an investigation off of or even use in one. touch, perl-fu..pick any ol' way you want to modify a time stamp and you can do it. The nice thing is that this tool hits the MFT entry time(or E as they call it) as well.
The presentation was very well done and incredibly true. I can only hope that vendors are paying attention to the work these guys are doing. One thing they didn't mention, was TSK or any linux based tools.

Fooling signature detection was an interesting piece. It may fool the casual observer, but the MZ in an exe isn't the only piece in a header of an executable that's used to detect it. it's typically the default used in the magic file but that's not the only indicator. In addition, I would imagine that tools that sort by mismatched extensions and the output of `file` with a specific magic file would take care of this issue.
I'll have to play around with FTK and other tools and transmogrify when it's released.