Timestomping is a common anti-forensic tactic that threat actors use in order to hide their tools on a victim’s file system. Detecting and analyzing timestomping can be time-consuming for examiners, but with a combination of the Kroll Artifact Parser and Extractor (KAPE), MFTECmd and Timeline Explorer, the process is expedited, allowing examiners to focus on data instead of worrying about parsing files.
In this session, Kroll expert Andrew Rathbun demonstrates how to use KAPE, MFTECmd and Timeline Explorer to acquire, parse and analyze an $MFT file to detect timestomping.
This webcast covers:
- The basic KAPE workflow, calling MFTECmd via KAPE Modules
- The benefits of MFTECmd
- How to collect and parse the $MFT with KAPE and MFTECmd
- How to detect timestomping in the parsed $MFT with Timeline Explorer
Download the webcast slides here.
Interested in learning more about KAPE? Register for one of our training and certification sessions today.