Timestomping
Timestomping Definition
Timestomping is a technique attackers use to change the timestamp information of files or folders on a computer. This can make malicious activity look older, newer, or consistent with legitimate system activity, helping hide anything suspicious. Because investigators often rely on timelines to understand security events, manipulating timestamps can make incidents harder to detect and analyze.
How Timestomping Works
Every file contains metadata that records when it was created, modified, or last accessed. These timestamps help establish a sequence of events that happen during normal system use and during investigations.
Timestomping happens when an attacker with access to the system deliberately changes one or more of these timestamps. This may involve changing the creation time, last modified time, or last accessed time of a file. The new dates are chosen to match legitimate system files or to point to a time before the attack occurred.
Once the timestamps are changed, the files no longer reflect their true history. This can delay detection and force forensic analysts to use other sources, such as logs or backups, to determine what really happened.
Risks of Timestomping
- Hides malicious activity: Helps attackers hide among legitimate system files, which may give them ongoing or long-term access to a system.
- Breaks forensic timelines: Makes harmful activity appear to have happened at a different time.
- Delays investigations: Forces analysts to spend more time verifying events, which can increase recovery time.
- Weakens audit accuracy: Creates confusion in records used for compliance or reporting.
Read More
FAQ
Most file systems record at least three key timestamps: when a file was created, when it was last modified, and when it was last accessed. An attacker can alter one or more of these values. In some environments, additional metadata may also be adjusted, depending on the tools used and the level of access gained.
Changing a file’s timestamp is not inherently illegal. However, using timestomping to hide unauthorized access, conceal malware, falsify records, or interfere with an investigation can be part of criminal activity. In legal and corporate investigations, manipulating timestamps to mislead others can carry serious consequences.
Investigators rarely rely on timestamps alone. They compare file dates with other sources of evidence, such as system event logs, security alerts, backups, registry entries, or network records. When those sources tell conflicting stories, it can indicate that timestamps were modified. Modern forensic tools are designed to spot these inconsistencies and highlight signs of tampering.
45-Day Money-Back Guarantee