NTFS Timestamps and Timestomping: Catching Anti-Forensics in the Act

Cybersecurity

NTFS stores two independent timestamp sets per file. Attackers modify one but rarely both, and the discrepancy between $STANDARD_INFORMATION and $FILE_NAME is the most reliable timestomping indicator available to IR teams.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 20, 2024 · 9 min read

Every file on an NTFS volume carries two sets of MACB timestamps: one in the $STANDARD_INFORMATION attribute and one in the $FILE_NAME attribute. Both record Modified, Accessed, Changed ($MFT entry changed), and Born (created) times. The critical forensic insight is that $STANDARD_INFORMATION timestamps are writable by any process with normal file access rights, but $FILE_NAME timestamps are written exclusively by the NTFS kernel driver during directory operations. Timestomping tools target $STANDARD_INFORMATION. They cannot touch $FILE_NAME without kernel-level code.

The MACB Timestamp Model

• Modified (M): last time the file's data content was changed
• Accessed (A): last time the file was read or executed (often disabled in production for performance)
• Changed (C): last time the MFT record itself was modified (attribute add, security change, rename)
• Born (B): file creation time, set once and rarely updated legitimately

Forensic tools like Autopsy, FTK Imager, and MFTECmd display both $STANDARD_INFORMATION and $FILE_NAME timestamp sets when parsing the $MFT. The default view in most tools shows only the $STANDARD_INFORMATION set, which is why timestomping goes undetected when examiners rely on Explorer or basic file listings.

Detecting Timestomping: The Key Indicators

The primary detection method is comparing $STANDARD_INFORMATION timestamps to $FILE_NAME timestamps for the same attribute. A gap of more than one second in the Born time between the two attributes is highly suspicious because the NTFS driver copies $STANDARD_INFORMATION values into $FILE_NAME at creation time. Any later modification of $STANDARD_INFORMATION will diverge from the kernel-written $FILE_NAME values.

1. Parse the $MFT with MFTECmd.exe: MFTECmd.exe -f '$MFT' --csv C:\output\ --csvf mft.csv
2. In Timeline Explorer, enable both SI and FN timestamp columns
3. Sort by SI_Created and filter where SI_Created differs from FN_Created by more than 2 seconds
4. Flag any file where SI Born is earlier than FN Born (impossible under normal NTFS operation)
5. Cross-reference flagged files against $UsnJrnl for the same MFT entry number

Nanosecond Precision Tells

NTFS timestamps have 100-nanosecond resolution. Legitimate file system operations produce timestamps with non-zero sub-second components. Many timestomping tools set timestamps by calling SetFileTime() with a value constructed from a SYSTEMTIME structure, which has only one-second resolution. The result is a timestamp with exactly zero nanoseconds in the fractional component: for example 2024-03-15 09:32:00.0000000. A file with a round-second timestamp in $STANDARD_INFORMATION but a sub-second timestamp in $FILE_NAME is a reliable timestomping signal.

$LogFile Correlation

The NTFS $LogFile records attribute updates as redo/undo operations. An examiner who sees a suspicious timestamp in $STANDARD_INFORMATION can look for a corresponding $LogFile record showing the SetFileInformation transaction. The LSN (Log Sequence Number) in the MFT record's update sequence correlates with $LogFile entries, providing an independent audit of when the $STANDARD_INFORMATION attribute was last written.

Anti-Timestomping Tools and Their Limitations

• timestomp.exe: sets $STANDARD_INFORMATION timestamps via SetFileTime(); cannot touch $FILE_NAME
• Metasploit timestomp post module: same Windows API approach, same limitation
• touch (Cygwin/WSL): uses POSIX utime(); affects $STANDARD_INFORMATION only
• PowerShell [System.IO.File]::SetLastWriteTime: single-timestamp modification, easy to spot
• Kernel-mode drivers: theoretically can modify $FILE_NAME but require code signing and are rare in commodity malware

Building a Timestomping Timeline

When you identify a timestomped file, reconstruct the true activity sequence. The $FILE_NAME Born timestamp gives you when the file was actually created. The USN Journal FILE_CREATE record corroborates this with an independent timestamp. The $STANDARD_INFORMATION Modified timestamp tells you when the attacker ran the timestomping tool. And the Prefetch file for the timestomping binary confirms its execution. These four independent sources converge to tell the complete story.

The moment you find a file where $STANDARD_INFORMATION Born is earlier than $FILE_NAME Born, you have evidence of temporal manipulation. The kernel does not lie: $FILE_NAME timestamps are ground truth.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.