Part 10 - Changing File Attributes with Timestomp

Video Activity

This lesson covers changing file attributes using timestomp. Participants learn how to change attributes of items they leave behind in order to confuse an investigator. By going to the folder where the files are kept and using the tools.exe file, participants use the timestomp command to change the files within.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

This lesson covers changing file attributes using timestomp. Participants learn how to change attributes of items they leave behind in order to confuse an investigator. By going to the folder where the files are kept and using the tools.exe file, participants use the timestomp command to change the files within.

Video Transcription
00:03
>> Another thing to think about
00:03
as you're doing your pen testing work
00:03
is in the interests of covering your tracks
00:03
>> and we're confusing a investigator,
00:03
>> you want to be able to perhaps modify
00:03
>> the attributes of the files that you leave behind.
00:03
>> Whether they are files that
00:03
have information you've been gathering or
00:03
whether it is a part of your toolkit
00:03
>> that you're using to interrogate the system.
00:03
>> What I want to do first is go
00:03
to the folder where I have my files.
00:03
In particular, I'm interested in
00:03
this file here, tools.exe.
00:03
You notice it has a date from a few days ago.
00:03
There are some other files
00:03
in the same directory that you could try to use.
00:03
The timestamp command,
00:03
I run it with a dash h.
00:03
>> This lets me modify a lot of this information
00:03
>> so I can modify the last access time,
00:03
>> modify the creation time,
00:03
the last written time,
00:03
which is the modification time basically.
00:03
I can also try to copy
00:03
the attributes of a file that already exists
00:03
>> and I can even make these changes recursively.
00:03
>> If I wanted to change
00:03
an entire folder structure
00:03
from a certain top-level folder all the way down,
00:03
all the files inside there, I could do that.
00:03
There's even the dash b,
00:03
the blank option which will definitely
00:03
confuse an investigator because
00:03
if you're looking at that information and not
00:03
understanding why are these dates all wrong?
00:03
Why do these files not seem to match properly?
00:03
What I can try to do, and we'll see if this works,
00:03
is I wanted to see if I can
00:03
copy the attributes from desktop.ini.
00:03
It says it can't find that following.
00:03
I know it's in this directory.
00:03
There might be something a little bit weird with this.
00:03
That's not working, but that's fine.
00:03
We can explore some of the other features.
00:03
One of the things I do want to see though,
00:03
is if I run timestamp
00:03
with the file that I'm interested in with a dash v,
00:03
I can see that it was modified,
00:03
I can see when it was accessed and created, and so on.
00:03
It gives me some good information to work with.
00:03
If I'm not able to copy an existing file,
00:03
what I could do is
00:03
just either modify these parameters directly,
00:03
so that way I can blend in this tools.exe,
00:03
I can make it look like it was created
00:03
in 2014 or 2013 or something.
00:03
One of the other options is just to blank it out.
00:03
Now if I review the changes that were made,
00:03
we can see that it just made that the year 2106.
00:03
It used to be 2016.
00:03
It was an accurate date before. But now it's 2106.
00:03
If you're the investigator and you're looking at this,
00:03
you should be hard pressed to figure
00:03
out exactly what happened.
00:03
Although this is a little bit of
00:03
a blunt method because it's changing
00:03
the file attributes in such a way that
00:03
makes it obvious something strange is going on.
00:03
If you were to change this to blend into
00:03
a existing timestamp from an older file,
00:03
then that would serve your purposes better.
Up Next