Hunting for Defense Evasion via Timestomping

Detect timestamp manipulation by analyzing NTFS MFT entries for discrepancies between $STANDARD_INFORMATION and $FILE_NAME attributes.

When to Use

• Investigating suspected anti-forensic activity where an adversary may have altered file timestamps to blend malware into legitimate directories
• Threat hunting for defense evasion (MITRE ATT&CK T1070.006) across compromised Windows systems
• Validating timeline integrity during forensic examinations of disk images or live acquisitions
• Triaging suspicious files that appear to have creation dates older than the OS installation or inconsistent with known deployment timelines
• Detecting tools like Timestomp (Metasploit), NTimeStomp, SetMACE, or PowerShell Set-ItemProperty used to alter timestamps
• Building automated detection pipelines that flag temporal anomalies in MFT data for SOC analysts

Do not use as the sole detection method; advanced adversaries can manipulate both $STANDARD_INFORMATION and $FILE_NAME timestamps (though the latter requires raw disk access and is much harder). Combine with USN Journal, $LogFile, and ShimCache/Amcache analysis for corroboration.

Prerequisites

• Raw $MFT file extracted from a Windows system (via FTK Imager, KAPE, or live extraction)