Changing timestamps in ntfs with timestomp
With timestomp you can change the STANDARD_INFORMATION attribute of one file, thats the place where most applications look for the date.
> nfi C:\ntfs.txt
NTFS File Sector Information Utility.
Copyright (C) Microsoft Corporation 1999. All rights reserved.
\ntfs.txt
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$OBJECT_ID (resident)
$DATA (nonresident)
logical sectors 3356840-3356871 (0x3338a8-0x3338c7)> nfi C: 3356840
NTFS File Sector Information Utility.
Copyright (C) Microsoft Corporation 1999. All rights reserved.
***Logical sector 3356840 (0x3338a8) on drive C is in file number 43249.
\ntfs.txt
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$OBJECT_ID (resident)
$DATA (nonresident)
logical sectors 3356840-3356871 (0x3338a8-0x3338c7)> ntfsinfo -d /dev/hda3 -i 43249
Failed to set locale, using default '(null)'.
Dumping $STANDARD_INFORMATION (0x10)
Size of STANDARD_INFORMATION is 76. It should be either 72 or 48, something is wrong...
Dumping $FILE_NAME (0x30)
File Name: ntfs.txt
File Name Length: 8
Allocated File Size: 0
Real File Size: 0
File Creation Time: Fri May 23 20:53:43 2008
File Altered Time: Fri May 23 20:53:43 2008
MFT Changed Time: Fri May 23 20:53:43 2008
Last Accessed Time: Fri May 23 20:53:43 2008
Dumping $OBJECT_ID (0x40)
Volume Version > 3.0... Dumping Attributes> timestomp.exe C:\ntfs.txt -v
Modified: Friday 23/4/2008 14:34:56 Accessed: Friday 23/4/2008 14:34:56 Created: Friday 23/4/2008 14:34:56 Entry Modified: Friday 23/4/2008 14:34:56
> timestomp.exe C:\ntfs.txt -z "Saturday 10/08/2005 2:34:56 PM"
> timestomp.exe C:\ntfs.txt -v
Modified: Saturday 10/8/2005 14:34:56 Accessed: Saturday 10/8/2005 14:34:56 Created: Saturday 10/8/2005 14:34:56 Entry Modified: Saturday 10/8/2005 14:34:56
Things you can't change with timestomp
But nothing is perfect and you can't change the content's of the FILE_NAME attribute with timestomp
> ntfsinfo -d /dev/hda3 -i 43249
Failed to set locale, using default '(null)'.
Dumping $STANDARD_INFORMATION (0x10)
Size of STANDARD_INFORMATION is 76. It should be either 72 or 48, something is wrong...
Dumping $FILE_NAME (0x30)
File Name: ntfs.txt
File Name Length: 8
Allocated File Size: 0
Real File Size: 0
File Creation Time: Fri May 23 20:53:43 2008
File Altered Time: Fri May 23 20:53:43 2008
MFT Changed Time: Fri May 23 20:53:43 2008
Last Accessed Time: Fri May 23 20:53:43 2008
Dumping $OBJECT_ID (0x40)
Volume Version > 3.0... Dumping AttributesBut in-fact FILE_NAME information can be changed indirectly because of the way NTFS manages consistency in time-stamps.
1) Create a file in a partition, and changes its time-stamps.
2) Move that file to some other folder in same partition, STANDARD_INFORMATION timestamp values( MACE ) are copied to FILE_NAME MACE values.
I don't really find a reason why Microsoft has implemented consistency this way, but it definitely beats any forensics done on time-stamps.
Software