Article 2 of series Sophisticated Anti-Forensics Tactics and How to Spot Them: Timestomping

Timestomping is widely used by threat actors simply because it is easy and accessible, even for the most novice user. A tool called NewFileTime illustrates this point well. NewFileTime is a free timestamp manipulation tool for Windows that comes with an easy-to-use graphical user interface (GUI) to manipulate timestamps (Figure 1). It offers many straightforward capabilities, such as modifying timestamps of several files and/or folders at once, changing the file timestamps to be younger or older, setting timestamps of a file to any desired time and setting timestamps to a file where the timestamp is in the file name. While NewFileTime isn’t the only program capable of timestomping, the general concept can apply to other tools.

NewFileTime graphical user interface (GUI) at launch

Figure 1 – NewFileTime graphical user interface (GUI) at launch 

Files can be added to NewFileTime by dragging and dropping them to the white canvas (Figure 2).

Dragging and dropping the desired file into NewFileTime

Figure 2 – Dragging and dropping the desired file into NewFileTime

Once the file is selected, the proposed timestamp changes will appear on the bottom (Figure 3).

Hovering over file in NewFileTime to view timestamps

Figure 3 – Hovering over file in NewFileTime to view timestamps

Timestomping Methods with NewFileTime

NewFileTime provides multiple methods of timestomping: Set Time, Be Older, Be Younger and Filename to Time. 

Set Time

The Set Time feature in NewFileTime allows a user to set the timestamps for Date Modified, Date Created and/or Date Accessed. On the “set time” tab of the tool, the user can select the dropdown next to the date to select the new date for each timestamp. Once that is complete, the user can then select the hashtag (#)button to set a time at the top of the hour for each timestamp and then click on one of the checkboxes to update the timestamps. The Set Time button will then allow the file to adopt the new timestamps (Figure 4). 

Set Time feature in NewFileTime

Figure 4 – Set Time feature in NewFileTime

Be Older

The Be Older feature in NewFileTime allows a user to set the timestamps for Date Modified, Date Created and/or Date Accessed to an older date/time. On the “be older” tab of the tool, the user can enter the number of days they want each timestamp to be older than the original date/time. The user can select the hashtag (#) button to set a time at the top of the hour and then click on one of the checkboxes to update those times. Once that is complete, the Set Time button will allow the file to adopt the new timestamps (Figure 5).

Be Older feature in NewFileTime

Figure 5 – Be Older feature in NewFileTime

Be Younger

The Be Younger feature in NewFileTime allows a user to set the timestamps for Date Modified, Date Created and/or Date Accessed to a more recent date/time. On the “be younger” tab of the tool, the user can enter the number of days they want each timestamp to be younger than the original date/time. As stated previously, the user can select the hashtag (#) button to set a time at the top of the hour, and then click on one of the checkboxes to update those times. Once that is complete, the Set Time button will allow the file to adopt the new timestamps (Figure 6).

Be Younger feature in NewFileTime

Figure 6 – Be Younger feature in NewFileTime

Filename to Time

The Filename to Time feature in NewFileTime differs from previous methods demonstrated as it allows a user to change the timestamps for Date Modified, Date Created and/or Date Accessed for multiple files at once by inheriting the timestamp of the filename if the timestamp is in the following format: YYYY-MM-DD HH.MM.SS or YYYY-MM-DD_HH.MM.SS. For example, a file named “cat-toes-paw-number-paws-tiger-tabby_2021-10-26_15.00.00” will adopt the new timestamp of 2021-10-26 15.00.00 for Date Modified, Date Created and/or Date Accessed, depending on which timestamp the user chooses to change. The user simply needs to drag the files over to the white canvas in NewFileTime. Once that is complete, the user can uncheck any of the Date or Time checkboxes where they do not want to change the timestamp for Date Modified, Date Created or Date Accessed. If all three timestamps are to be changed, then leave all checkboxes checked as this is the default option. Once that determination is made, the Set Time button will allow the files to adopt the new timestamps all at once (Figure 7).

Filename to Time feature in NewFileTime

Figure 7 – Filename to Time feature in NewFileTime

As demonstrated, NewFileTime provides users with the capability to easily timestomp files in different ways. Since a timestomping tool such as NewFileTime is free and so easy to use, threat actors commonly take advantage of timestomping to further enhance their ability to hide any malicious activity on a system.

Looking Ahead

In the next article, we will demonstrate how to observe timestomped data using tools such as KAPE and Timeline Explorer.

Related Articles

Timestomping a File with NewFileTime /en/insights/publications/cyber/anti-forensic-tactics/timestomping-with-newfiletime 2022-06-13T00:00:00.0000000 publication {E39587AD-8F0B-4FE2-865F-969BC5501096}{09213578-A7CA-4DD8-AE97-7476022C89D6}{7A48DD95-1A63-4784-842F-A2BE81EAFE13}{3A077BFC-C74A-40AF-A14C-13BCF6E3873E}{CE2347F0-D222-4014-BA97-6A415CC633DF}{042F6B91-DC71-4D5F-BB23-BFA7E05A37CE}{71603619-7D47-436B-ADCC-11F2BCA48C19} {2DEEE4D2-8278-4C50-B3FF-1563BB257804}

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Explore insights

Cyber


Bumblebee Loader Linked to Conti and Used In Quantum Locker Attacks

Jun 06, 2022

by George Glass

Cyber


ModPipe POS Malware: New Hooking Targets Extract Card Data

Jun 02, 2022

by Sean Straw

Cyber


Q1 2022 Threat Landscape: Threat Actors Target Email for Access and Extortion

May 18, 2022

by Laurie IaconoKeith Wojcieszek George Glass

Cyber


KAPE Quarterly Update – Q1 2022

Apr 27, 2022

by Eric Zimmerman Andrew Rathbun

Events

Webcast


Threat Landscape Virtual Briefing: Ransomware Returns, Healthcare Hit

Online Event Aug 10 - Aug 11, 2022 | Online Event

Webcast


Incident Response Forum Europe 2022

Webinar Sep 22, 2022 | Webinar