Bumblebee Loader Linked to Conti and Used In Quantum Locker Attacks
Jun 06, 2022
by George Glass

Mon, Jun 13, 2022
A common anti-forensic technique Kroll has observed during incident response engagements is timestomping. Timestomping refers to the alteration of timestamps of a file on an NTFS file system. This tactic is commonly utilized by threat actors to hide their tools on the victim’s file system. This is accomplished by making files appear to have been created outside the incident timeframe, often by years, and could lead to important artifacts being more difficult for examiners to find or missed entirely.
It is imperative during incident response investigations for examiners to review the contents of compromised hosts to detect potentially malicious files. This includes paying special attention to common NTFS metadata files, including but not limited to the $MFT. The $MFT contains multiple timestamps for each file and folder on the file system of the compromised host. Evidence of timestomping can be observed by analyzing the differences in 0x10 and 0x30 timestamps found within the $MFT.
Threat actors often use timestomping to modify the NTFS timestamps of their tools, related outputs and potentially created files containing staged data to conceal their files from incident response efforts during the Internal Scouting and Toolkit Deployment steps of the Kroll Intrusion Lifecycle. This includes Modified, Accessed, Changed and Birth (MACB) times. Timestomping can be accomplished using many tools, including PowerShell, Total Commander, SKTimeStamp, ChangeTimestamp, SetMace and NewFileTime.
There are a few key indicators that could point to timestomping when looking for malicious files. These include:
In this series, Kroll experts will dive into an example of timestomping, what it can look like from the threat actor’s perspective and how to detect it and interpret the results.
Read more about Timestomping in our Sophisticated Anti-Forensic Tactics and How To Spot Them series.
Related Articles
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Find, collect and process forensically useful artifacts in minutes.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Enlist experienced responders to handle the entire security incident lifecycle.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.
Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.