Metasploit mailing list archives
Timestomp
From: restrictanonymous at gmail.com (Anonymous User)
Date: Fri, 12 Aug 2005 14:11:50 -0700
I checked it out. It doesn't permit you you change the entry modified attribute of NTFS that forensic examiners use to red flag MAC modifications. Still, if anyone knows of any anti-forensics tools out there that do the same thing, definately fill us in... On 8/12/05, mmiller at hick.org <mmiller at hick.org> wrote:
On Fri, Aug 12, 2005 at 08:23:09PM +0200, Jerome Athias wrote:http://metasploit.com/projects/antiforensics/ Timestomp - First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified. "First", I don't know (http://www.segobit.com/fpc.htm was useful for me), but C00L! and small, sure it is!This tool doesn't appear (unless I'm blind) to let you change the entry modified time, which is why timestomp claims to be the first to do this :) There are lots of tools that can change the MAC times.