Metasploit mailing list archives

Timestomp

From: restrictanonymous at gmail.com (Anonymous User)
Date: Fri, 12 Aug 2005 14:11:50 -0700

I checked it out. It doesn't permit you you change the entry modified
attribute of NTFS that forensic examiners use to red flag MAC
modifications.

Still, if anyone knows of any anti-forensics tools out there that do
the same thing, definately fill us in...

On 8/12/05, mmiller at hick.org <mmiller at hick.org> wrote:

On Fri, Aug 12, 2005 at 08:23:09PM +0200, Jerome Athias wrote:

http://metasploit.com/projects/antiforensics/

Timestomp - First ever tool that allows you to modify all four NTFS
timestamp values: modified, accessed, created, and entry modified.


"First", I don't know (http://www.segobit.com/fpc.htm was useful for me),
but C00L! and small, sure it is!


This tool doesn't appear (unless I'm blind) to let you change the entry
modified time, which is why timestomp claims to be the first to do this
:)  There are lots of tools that can change the MAC times.

Current thread:

Timestomp Jerome Athias (Aug 12)
- Timestomp mmiller at hick.org (Aug 12)
  - Timestomp Anonymous User (Aug 12)