Skip to content
Reverse Engineering
Anti-Forensicintermediate

Timestomping

Malware rewrites a file's MACB timestamps to defeat timeline analysis, but the forged values rarely survive a full NTFS examination.

Timestomping is the deliberate falsification of a file's timestamps so a dropped payload appears old, system-installed, or otherwise unremarkable. The goal is to break the investigator's timeline: if the malware's $STANDARD_INFORMATION ($SI) Modified time reads 2009, it sinks below every artifact a timeline-of-interest query surfaces.

On NTFS each file carries two parallel sets of MACB timestamps — Modified, Accessed, Changed (MFT entry change), and Born (created). One set lives in $SI, the other in the $FILE_NAME ($FN) attribute. Crucially, the Windows API and tools like Cobalt Strike's timestomp command only write to $SI. The kernel updates $FN only on file creation, rename, or move, and that update copies from $SI at that moment — it is not directly settable from user mode. This asymmetry is the defender's primary lever.

How it works

A common approach copies the timestamps of a trusted system file (e.g., kernel32.dll) onto the payload, or sets them to a fixed backdated value:

powershell
# Backdate a dropped payload to match a legitimate system binary
$ref = (Get-Item C:\Windows\System32\kernel32.dll)
$evt = Get-Item C:\Users\Public\update.exe
$evt.CreationTime   = $ref.CreationTime
$evt.LastWriteTime  = $ref.LastWriteTime
$evt.LastAccessTime = $ref.LastAccessTime

Cobalt Strike exposes the same behavior natively (timestomp <src> <dst>), and many loaders call SetFileTime directly. None of these paths touch $FN, so after the operation $SI reads 2009 while $FN still reflects the real creation time.

Detection & analysis

Static analysis:

  • Parse $MFT and compare $SI against $FN for each record. A $SI Born/Modified time that is earlier than the $FN Born time is a strong timestomp indicator — $FN can lag but should not predate creation. Tools: MFTECmd (Eric Zimmerman), analyzeMFT, Velociraptor's parse_ntfs plugin.
  • Look for sub-second precision anomalies: native Windows file creation writes 100-nanosecond resolution, so a $SI timestamp with all-zero sub-second fields (e.g., .0000000) often betrays an API that rounded to whole seconds.
  • Flag clustered identical timestamps across unrelated files — a copied reference time produces suspiciously uniform MACB values.

Dynamic analysis:

  • Sysmon Event ID 2 ("A process changed a file creation time") fires specifically on SetFileTime-style backdating; correlate the reporting process against expected behavior.
  • Cross-reference the $LogFile and $UsnJrnl:$J (USN journal): the journal records the real FILE_CREATE/DATA_OVERWRITE USN events with their own reliable timestamps, independent of the forged $SI. A file claiming a 2009 birth date but appearing in a 2026 USN sequence is conclusive.

Detection rule hint: Alert when, for any $MFT record, the $SI creation time is more than a few seconds earlier than the $FN creation time, OR when $SI sub-second precision is zero while neighboring legitimately-created files carry full precision. Pair the MFT finding with the corresponding USN journal creation timestamp to recover the true install time.

Votes

Comments(0)