Forums
Main Category
General (Technical,...
Completely change M...
 
Notifications
Clear all

Completely change MACE timestamps

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Patrick4n6 10 years ago
4 Posts
4 Users
0 Reactions
1,012 Views
RSS
 gorvq7222
(@gorvq7222)
Reputable Member
Joined: 11 years ago
Posts: 236
Topic starter 11/06/2015 8:52 pm  

Hi,

One of my friends Sandy asked me about the possibility of completely change MACE timestamps. As everybody knows that some tools could change MAC timestamps only. I told her that a tool whose name is "Timestomp" could change MACE timestamps,including Entry Modified Time. She was very surprise and ask me how to use "Timestomp". You guy could take a look at my blog

http//www.cnblogs.com/pieces0310/p/4570415.html

Couple days later she asked me what if some suspect use Timestomp to change MACE timestamps, how could I figure it out? Fortunately, there are two kinds of timestamps in MFT. They are Standard info and Filename info attributes. I dump an MFT to csv and you could see them clearly. Even Timestomp could change MACE timestamps, it could only change Standard info attributes, not including Filename info attributes. So we could take a look at MFT dump results and see if there is any abnormal timestamps between those two timestamp attributes.


   
Quote
joakims
 joakims
(@joakims)
Estimable Member
Joined: 15 years ago
Posts: 224
12/06/2015 3:45 am  

Would this tool have made any difference to the investigation of those timestamps on that volume https://github.com/jschicht/SetMace ?


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
12/06/2015 5:03 am  

Would this tool have made any difference to the investigation of those timestamps on that volume https://github.com/jschicht/SetMace ?

That one seems a lot like a blow below the belt ? 😯

roll

jaclaz


   
ReplyQuote
 Patrick4n6
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
12/06/2015 8:28 pm  

Or a hex editor in the right hands.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: