Part 10 - Changing File Attributes with Timestomp
Video Activity
This lesson covers changing file attributes using timestomp. Participants learn how to change attributes of items they leave behind in order to confuse an investigator. By going to the folder where the files are kept and using the tools.exe file, participants use the timestomp command to change the files within.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or
Already have an account? Sign In »
Video Description
This lesson covers changing file attributes using timestomp. Participants learn how to change attributes of items they leave behind in order to confuse an investigator. By going to the folder where the files are kept and using the tools.exe file, participants use the timestomp command to change the files within.
Video Transcription
00:04
Okay, So another thing to think about as you're doing you're contesting work is
00:09
in the interest of covering your tracks. And we're confusing a investigator. You want to be able to perhaps modify
00:17
the attributes of the files they leave behind,
00:22
whether they are files that information have been gathering or whether it is a
00:28
a part of your tool kit
00:29
that you're using to to interrogate the system.
00:33
So what I want to do first is go to
00:39
the, uh,
00:42
the folder where I have my files.
00:52
Second. See, I've got in particular. I'm interested in this file here. Tools down, yaks eat.
00:58
You notice it has a,
01:00
uh uh,
01:02
you know, day from a few days ago.
01:07
There's some other ah
01:08
files in the same directory and that you could try to use, um,
01:14
the Times Time Command.
01:18
Run it with Shh.
01:19
This lets me modify a lot of this information so I can modify the last access time, modify the creation time, the last written file, the restaurant in time, which is a modification time. Basically, I could also try to copy
01:34
the attributes of a foul that already exists.
01:37
And I can even make these changes reclusive Lee. So if I wanted to change
01:42
an entire Philidor structure from from a certain top Flubber folder all the way down all the files inside there, I could do that. And I resent the dash B the blank option, which will definitely confuse a
01:57
investigator because you're looking at that information, not understanding. Why are these dates all wrong?
02:01
Why are these files not seem to match properly
02:08
so I can try to do We'll see if this works is, uh
02:14
I want to see if I can copy
02:16
the attributes from desktop dot Any?
02:23
Okay, uh, does it can't find that foul. I know what's in this directory.
02:34
Okay, there might be something
02:43
a little bit weird with this.
02:45
Okay, so that's not working, but that's that's fine. We can explore some of the other features.
02:50
One of the ones that one of the things I do want to see, though, is if I run Time Stone
02:57
with the file that I'm interested in
02:59
with a dash V,
03:01
I can see that it was modified. I can see when it was accessed and created and so on. So it gives me some good information to work with.
03:09
If I'm not able, Thio, copy existing file. What I could do
03:14
is just
03:16
either modify these parameters directly.
03:21
So that way I can kind of blend in this tools. Daddy, Actually, I could make it look like it was created
03:25
in 2014 or 2013 or something.
03:31
Ah, one. The other options is just to blank it out.
03:38
Now, if I review the changes that were made,
03:42
we can see that
03:44
it just made the year 2106 used to be 2016. It was an accurate date before,
03:50
but now it's 2106 So if you're the investigator and you were looking at this, you'd be hard pressed to figure out exactly what happened. Although this is a little bit of a
03:59
a blunt method because it's it's changing, the file names her side of the file attributes in such a way that makes it obvious something strange is going on.
04:08
If you were to change this, to blend into a
04:12
existing time stamp from an older file
04:15
that would serve your purpose is better
Up Next
Similar Content
