Skip to content

METASPLOIT – How to change file attributes of a file to a different date using Timestomp

17/06/2013

Forensics relies on the metadata for each file for court prosecutions.  However, timestomp can change all of these, and confuse Forensics.  MACE is the acronym for file metadata for a word file shown:

  • Modified date/time
  • Accessed date/time
  • Created date/time
  • Entry Modified date/time.

**Update May 2016

Forensics use the MAC time (Modify, Access, Created) and Birth time for Windows files.

I use the mnemonic “MACBETH” to remember them.

****

How to do it

Step 1 – Start by changing the creation time of the file.

-c is used to change the creation time of the file.

timestomp c:\secret.doc -c “1/01/2001 01:01:01”

Step 2 – Change the modified time

-m is used to change the modified time

timestomp c:\secret.doc -m “1/01/2001 01:01:01”

Step 3 – Change the accessed time

-a changes the accessed time

timestomp c:\secret.doc -a “1/01/2001 01:01:01”

Step 4 – check the changes have taken place

-v verifies the metadata values held for the file

timestomp c:\secret.doc -v

Step 5 – Emergency tactic – avoid if you can

timestomp c:\secret.doc -z “1/01/2001 01:01:01”

-z resets all four MACE values – of course any System Administrator would spot that you’ve been hacking, as you could not have a creation and accessed time the same.

So if you wish to avoid undetected, do not use -z.

 

Linux – you can do a simple listing to see the times.

  • ls -l outputs last time the file content was modified, the mtime
  • ls -lc outputs last time of file status modification, the ctime (What’s the difference?)
  • ls -lu outputs last access time, the atime (although the usefulness of this concept is subject to discussion)

And of course, ctime does not record when a file was “created”. The POSIX specification defines only three timestamps, but some Linux filesystems store Birth Time/Creation Time. How to find creation date of file?

There are only THREE distinct times values stored for each of your files, as defined by the POSIX Standard : http://pubs.opengroup.org/onlinepubs/9699919799/ (see Base Definitions section -> 4. General Concepts -> 4.8 File Times Update)

Each file has three distinct associated timestamps: the time of last data access, the time of lastdata modification, and the time the file status last changed. These values are returned in the file characteristics structure struct stat, as described in <sys/stat.h>.

And from <sys/stat.h> :

atime is for Last data access timestamp.
mtime is for Last data modification timestamp.
ctime is for Last file status change timestamp.

Following examples show the difference among the atime, mtime and ctime, these examples are in GNU/Linux BASH. You can use stat -x in Mac OS X or other BSD Dist. to see the similar output format.

$ stat --version
stat (GNU coreutils) 8.4
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Michael Meskes.
$
$ touch test
$ stat test
  File: `test'
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: 811h/2065d  Inode: 98828525    Links: 1
Access: (0664/-rw-rw-r--)  Uid: (  514/    rank)   Gid: (  514/    rank)
Access: 2014-03-16 10:58:28.609223953 +0800
Modify: 2014-03-16 10:58:28.609223953 +0800
Change: 2014-03-16 10:58:28.609223953 +0800

When the file just be created, three timestamps are the same.


1. atime

First, let’s access the file’s data by reading it (less or vim), printing it out (cat) or copy it to another file (cp).

$ cat test #Nothing will be printed out, since the file is empty
$ stat test
  File: `test'
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: 811h/2065d  Inode: 98828525    Links: 1
Access: (0664/-rw-rw-r--)  Uid: (  514/    rank)   Gid: (  514/    rank)
Access: 2014-03-16 10:59:13.182301069 +0800  <-- atime Changed!
Modify: 2014-03-16 10:58:28.609223953 +0800
Change: 2014-03-16 10:58:28.609223953 +0800

2. ctime

Now let’s change the file status, by changing the permission (chmod) or renaming it (mv)

$ chmod u+x test
$ stat stet
  File: `test'
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: 811h/2065d  Inode: 98828525    Links: 1
Access: (0764/-rwxrw-r--)  Uid: (  514/    rank)   Gid: (  514/    rank)
Access: 2014-03-16 10:59:13.182301069 +0800
Modify: 2014-03-16 10:58:28.609223953 +0800
Change: 2014-03-16 11:04:10.178285430 +0800  <-- ctime Changed!
$    
$ mv test testing
$ stat testing
  File: `testing'
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: 811h/2065d  Inode: 98828525    Links: 1
Access: (0764/-rwxrw-r--)  Uid: (  514/    rank)   Gid: (  514/    rank)
Access: 2014-03-16 10:59:13.182301069 +0800
Modify: 2014-03-16 10:58:28.609223953 +0800
Change: 2014-03-16 11:06:33.342207679 +0800  <-- ctime Changed again!

Note that until now, the contents (data) of the file is still the same as when it created.


3. mtime

Finally, let’s modify the contents of the file by editing the file.

$ echo 'Modify the DATA of the file' > testing
$ echo 'Modify the DATA of the file also change the file status' > testing
$ stat testing
  File: `testing'
  Size: 56          Blocks: 8          IO Block: 4096   regular file
Device: 811h/2065d  Inode: 98828525    Links: 1
Access: (0764/-rwxrw-r--)  Uid: (  514/    rank)   Gid: (  514/    rank)
Access: 2014-03-16 10:59:13.182301069 +0800
Modify: 2014-03-16 11:09:48.247345148 +0800  <-- mtime Changed!
Change: 2014-03-16 11:09:48.247345148 +0800  <-- ctime also Changed!

4. birth time

Also note that the newer version of stat (e.g. stat --version 8.13 in Ubuntu 12.04) has 4th timestamp information – the Birth Time (file creation time). Although it may not show the correct time for now:

$ stat --version
stat (GNU coreutils) 8.13
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Michael Meskes.
$
$ stat birth_time
  File: `birth_time'
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: 805h/2053d  Inode: 4073946     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/ bingyao)   Gid: ( 1000/ bingyao)
Access: 2014-03-16 10:46:48.838718970 +0800
Modify: 2014-03-16 10:46:48.838718970 +0800
Change: 2014-03-16 10:46:48.838718970 +0800
 Birth: -

Reference:

http://superuser.com/questions/387042/how-to-check-all-timestamps-of-a-file

On such a supported configuration, one could use

stat --printf '%n\nmtime: %y\nctime: %z\natime: %x\ncrtime:%w\n'
Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: