threat hunting

Hunting for Defense Evasion via Timestomping

Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping activity.

defense-evasionmft-analysisntfs-forensicstimestomping
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Detect timestamp manipulation by analyzing NTFS MFT entries for discrepancies between $STANDARD_INFORMATION and $FILE_NAME attributes.

When to Use

  • Investigating suspected anti-forensic activity where an adversary may have altered file timestamps to blend malware into legitimate directories
  • Threat hunting for defense evasion (MITRE ATT&CK T1070.006) across compromised Windows systems
  • Validating timeline integrity during forensic examinations of disk images or live acquisitions
  • Triaging suspicious files that appear to have creation dates older than the OS installation or inconsistent with known deployment timelines
  • Detecting tools like Timestomp (Metasploit), NTimeStomp, SetMACE, or PowerShell Set-ItemProperty used to alter timestamps
  • Building automated detection pipelines that flag temporal anomalies in MFT data for SOC analysts

Do not use as the sole detection method; advanced adversaries can manipulate both $STANDARD_INFORMATION and $FILE_NAME timestamps (though the latter requires raw disk access and is much harder). Combine with USN Journal, $LogFile, and ShimCache/Amcache analysis for corroboration.

Prerequisites

  • Raw $MFT file extracted from a Windows system (via FTK Imager, KAPE, or live extraction)
  • MFTECmd (Eric Zimmerman tool) or analyzeMFT for MFT parsing
  • Python 3.8+ with pandas for analysis
  • Optional: mft Python library (pip install mft) for programmatic MFT parsing
  • Optional: KAPE (Kroll Artifact Parser and Extractor) for automated artifact collection
  • Timeline Explorer or Excel for visual analysis of parsed MFT output

Workflow

Step 1: Extract the $MFT from a Live System or Disk Image

# Method 1: Using KAPE to collect MFT and related artifacts
.\kape.exe --tsource C: --tdest D:\Evidence\MFT_Collection --target !SANS_Triage
 
# Method 2: Using FTK Imager CLI to extract $MFT
ftkimager.exe \\.\C: D:\Evidence\mft_raw.bin --e01 --include $MFT
 
# Method 3: Raw copy using RawCopy (handles locked NTFS system files)
RawCopy.exe /FileNamePath:C:0 /OutputPath:D:\Evidence\ /OutputName:$MFT
# Method 4: On a mounted forensic image in Linux
sudo mount -o ro,norecovery /dev/sdb1 /mnt/evidence
sudo icat -o 2048 /dev/sdb 0 > /mnt/output/$MFT
 
# Method 5: Using sleuthkit to extract MFT from disk image
icat -o 2048 evidence.E01 0 > extracted_MFT

Step 2: Parse the MFT with MFTECmd

Use Eric Zimmerman's MFTECmd to produce a CSV with both $STANDARD_INFORMATION and $FILE_NAME timestamps:

# Parse MFT to CSV with all timestamp columns
MFTECmd.exe -f "D:\Evidence\$MFT" --csv D:\Evidence\Parsed\ --csvf mft_parsed.csv
 
# The output CSV contains these critical columns:
# Created0x10         - $STANDARD_INFORMATION Created timestamp
# LastModified0x10    - $STANDARD_INFORMATION Modified timestamp
# LastAccess0x10      - $STANDARD_INFORMATION Accessed timestamp
# LastRecordChange0x10 - $STANDARD_INFORMATION Entry Modified timestamp
# Created0x30         - $FILE_NAME Created timestamp
# LastModified0x30    - $FILE_NAME Modified timestamp
# LastAccess0x30      - $FILE_NAME Accessed timestamp
# LastRecordChange0x30 - $FILE_NAME Entry Modified timestamp

Step 3: Detect Timestomping via SI vs FN Comparison

The core detection: $STANDARD_INFORMATION timestamps are easily modified by user-mode tools, but $FILE_NAME timestamps are updated only by the NTFS driver (kernel-mode). When SI timestamps are OLDER than FN timestamps, timestomping is likely:

import pandas as pd
from datetime import datetime, timedelta
 
def load_mft_data(csv_path):
    """Load MFTECmd parsed CSV output."""
    df = pd.read_csv(csv_path, low_memory=False)
 
    # Parse timestamp columns
    timestamp_cols = [
        "Created0x10", "LastModified0x10", "LastAccess0x10", "LastRecordChange0x10",
        "Created0x30", "LastModified0x30", "LastAccess0x30", "LastRecordChange0x30"
    ]
 
    for col in timestamp_cols:
        if col in df.columns:
            df[col] = pd.to_datetime(df[col], errors="coerce")
 
    return df
 
def detect_timestomping(df):
    """Detect timestamp manipulation by comparing SI and FN attributes.
 
    Key indicators:
    1. SI Created < FN Created (SI timestamp pushed back in time)
    2. SI timestamps have nanoseconds = 0000000 (tool artifact)
    3. SI Created < FN Entry Modified (impossible under normal NTFS behavior)
    4. Large gap between SI and FN timestamps
    """
    results = []
 
    for idx, row in df.iterrows():
        si_created = row.get("Created0x10")
        fn_created = row.get("Created0x30")
        si_modified = row.get("LastModified0x10")
        fn_modified = row.get("LastModified0x30")
        si_entry = row.get("LastRecordChange0x10")
        fn_entry = row.get("LastRecordChange0x30")
 
        if pd.isna(si_created) or pd.isna(fn_created):
            continue
 
        filepath = row.get("FileName", "unknown")
        parent_path = row.get("ParentPath", "")
        full_path = f"{parent_path}\\{filepath}" if parent_path else filepath
        indicators = []
 
        # Detection 1: SI Created is BEFORE FN Created
        # Under normal NTFS operations, SI Created >= FN Created
        if si_created < fn_created:
            delta = fn_created - si_created
            indicators.append({
                "check": "SI_Created < FN_Created",
                "si_value": str(si_created),
                "fn_value": str(fn_created),
                "delta": str(delta),
                "confidence": "high"
            })
 
        # Detection 2: SI Modified is BEFORE FN Created
        # A file cannot be modified before it was created
        if pd.notna(si_modified) and si_modified < fn_created:
            indicators.append({
                "check": "SI_Modified < FN_Created",
                "si_value": str(si_modified),
                "fn_value": str(fn_created),
                "confidence": "high"
            })
 
        # Detection 3: Nanosecond precision check
        # Many timestomping tools set timestamps with zero nanoseconds
        if pd.notna(si_created):
            si_created_str = str(si_created)
            if ".000000" in si_created_str or si_created_str.endswith("00:00:00"):
                # Check if FN has normal nanosecond precision
                fn_str = str(fn_created)
                if ".000000" not in fn_str:
                    indicators.append({
                        "check": "SI_nanoseconds_zeroed",
                        "si_value": si_created_str,
                        "fn_value": fn_str,
                        "confidence": "medium"
                    })
 
        # Detection 4: Large time gap between SI and FN
        # Normal gap is seconds to minutes, not years
        if abs((si_created - fn_created).days) > 365:
            indicators.append({
                "check": "SI_FN_gap_exceeds_1_year",
                "si_value": str(si_created),
                "fn_value": str(fn_created),
                "delta_days": abs((si_created - fn_created).days),
                "confidence": "high"
            })
 
        # Detection 5: SI Entry Modified much later than SI Created
        # Indicates the SI attribute was rewritten
        if pd.notna(si_entry) and pd.notna(si_created):
            entry_delta = si_entry - si_created
            if entry_delta.days > 365 * 5:  # Entry modified years after creation
                indicators.append({
                    "check": "SI_entry_modified_years_after_creation",
                    "si_created": str(si_created),
                    "si_entry_modified": str(si_entry),
                    "confidence": "medium"
                })
 
        if indicators:
            results.append({
                "file_path": full_path,
                "entry_number": row.get("EntryNumber", ""),
                "in_use": row.get("InUse", True),
                "si_created": str(si_created),
                "fn_created": str(fn_created),
                "indicators": indicators,
                "highest_confidence": max(i["confidence"] for i in indicators),
            })
 
    return results
 
# Run detection
df = load_mft_data("D:\\Evidence\\Parsed\\mft_parsed.csv")
stomped_files = detect_timestomping(df)
 
print(f"\nTimestomping Detection Results")
print(f"{'='*60}")
print(f"Total MFT entries analyzed: {len(df)}")
print(f"Suspicious entries found: {len(stomped_files)}")
print()
 
for entry in sorted(stomped_files, key=lambda x: x["highest_confidence"], reverse=True):
    print(f"[{entry['highest_confidence'].upper()}] {entry['file_path']}")
    print(f"  SI Created: {entry['si_created']}")
    print(f"  FN Created: {entry['fn_created']}")
    for ind in entry["indicators"]:
        print(f"  Check: {ind['check']} (confidence: {ind['confidence']})")
    print()

Step 4: Corroborate with USN Journal Analysis

The USN Journal records metadata change events that persist even after timestomping:

def correlate_with_usn_journal(stomped_files, usn_csv_path):
    """Cross-reference timestomped files with USN Journal entries.
 
    The USN Journal records a BASIC_INFO_CHANGE reason when timestamps
    are modified, providing corroborating evidence of timestomping.
    """
    usn_df = pd.read_csv(usn_csv_path, low_memory=False)
    usn_df["UpdateTimestamp"] = pd.to_datetime(usn_df["UpdateTimestamp"], errors="coerce")
 
    corroborated = []
    for entry in stomped_files:
        filename = entry["file_path"].split("\\")[-1]
 
        # Find USN entries for this file with BASIC_INFO_CHANGE
        usn_matches = usn_df[
            (usn_df["Name"] == filename) &
            (usn_df["UpdateReasons"].str.contains("BASIC_INFO_CHANGE", na=False))
        ]
 
        if not usn_matches.empty:
            entry["usn_corroboration"] = True
            entry["usn_change_times"] = usn_matches["UpdateTimestamp"].tolist()
            entry["highest_confidence"] = "critical"
            corroborated.append(entry)
            print(f"[CORROBORATED] {filename} - USN Journal confirms "
                  f"BASIC_INFO_CHANGE at {usn_matches['UpdateTimestamp'].iloc[0]}")
 
    return corroborated
 
# Parse USN Journal (use MFTECmd or ANJP)
# MFTECmd.exe -f "$J" --csv D:\Evidence\Parsed\ --csvf usn_parsed.csv

Step 5: Check ShimCache and Amcache for Timeline Validation

def check_shimcache_timeline(stomped_files, shimcache_csv):
    """Validate timestamps against ShimCache (AppCompatCache) entries.
 
    ShimCache records the last modification time of executables
    independently of NTFS timestamps, providing another corroboration point.
    """
    shim_df = pd.read_csv(shimcache_csv, low_memory=False)
    shim_df["LastModifiedTimeUTC"] = pd.to_datetime(
        shim_df["LastModifiedTimeUTC"], errors="coerce"
    )
 
    for entry in stomped_files:
        filepath = entry["file_path"]
        shim_match = shim_df[
            shim_df["Path"].str.lower() == filepath.lower()
        ]
 
        if not shim_match.empty:
            shim_time = shim_match["LastModifiedTimeUTC"].iloc[0]
            si_modified = pd.to_datetime(entry.get("si_created"))
 
            if pd.notna(shim_time) and pd.notna(si_modified):
                delta = abs((shim_time - si_modified).days)
                if delta > 30:
                    entry["shimcache_mismatch"] = True
                    entry["shimcache_time"] = str(shim_time)
                    print(f"[SHIMCACHE MISMATCH] {filepath}")
                    print(f"  SI timestamp: {si_modified}")
                    print(f"  ShimCache timestamp: {shim_time}")
                    print(f"  Delta: {delta} days")
 
    return stomped_files

Step 6: Generate a Timestomping Detection Report

import json
 
def generate_report(stomped_files, output_path):
    """Generate a structured JSON report of all timestomping detections."""
    report = {
        "report_title": "Timestomping Detection Analysis",
        "generated_at": datetime.utcnow().isoformat() + "Z",
        "mitre_technique": "T1070.006 - Indicator Removal: Timestomp",
        "total_suspicious_files": len(stomped_files),
        "critical_findings": len([f for f in stomped_files if f["highest_confidence"] == "critical"]),
        "high_findings": len([f for f in stomped_files if f["highest_confidence"] == "high"]),
        "medium_findings": len([f for f in stomped_files if f["highest_confidence"] == "medium"]),
        "findings": stomped_files,
    }
 
    with open(output_path, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"Report written to {output_path}")
    print(f"  Critical: {report['critical_findings']}")
    print(f"  High: {report['high_findings']}")
    print(f"  Medium: {report['medium_findings']}")
 
generate_report(stomped_files, "D:\\Evidence\\timestomping_report.json")

Verification

  • Confirm MFTECmd parses the $MFT without errors and produces both 0x10 (SI) and 0x30 (FN) timestamp columns
  • Create a test file and use a timestomping tool (e.g., NTimeStomp) in a lab to verify the detection logic catches the manipulation
  • Validate that the nanosecond-zeroed check does not produce excessive false positives on files created by installers that legitimately set timestamps
  • Cross-reference flagged files with the USN Journal to confirm BASIC_INFO_CHANGE events exist at the expected times
  • Verify ShimCache and Amcache timestamps provide independent corroboration of timeline inconsistencies
  • Test against known-clean system images to establish a false-positive baseline (some backup/imaging software legitimately resets timestamps)
  • Confirm the detection pipeline correctly handles deleted MFT entries (InUse=false) which may contain evidence of timestomped files that were later removed
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.9 KB

API Reference: Hunting for Timestomping (T1070.006)

NTFS Timestamp Attributes

Attribute Modifiable By Updated On
$STANDARD_INFORMATION User-level APIs (SetFileTime) Create, modify, access, MFT change
$FILE_NAME Windows kernel only File create, rename, move

Detection Logic

Indicator Description
SI < FN Created $SI creation before $FN creation (most reliable)
Zero nanoseconds .0000000 in timestamp (tool artifacts)
Future timestamp Date beyond current time
Pre-OS timestamp $SI before OS install but $FN after
Round seconds No fractional seconds (unusual for NTFS)

analyzeMFT (Python)

pip install analyzemft
 
# Parse MFT to CSV
analyzeMFT.py -f /path/to/$MFT -o mft_output.csv
 
# With body file output (for timeline)
analyzeMFT.py -f $MFT -o mft.csv -b body.txt

MFTECmd (Eric Zimmerman)

# Parse MFT to CSV
MFTECmd.exe -f C:\evidence\$MFT --csv C:\output\
 
# With $J (USN Journal)
MFTECmd.exe -f $MFT --csv output\ --json output\

CSV Columns

Column Description
Record Number MFT entry number
Filename File name
SI Created/Modified/Accessed $STANDARD_INFORMATION timestamps
FN Created/Modified/Accessed $FILE_NAME timestamps
In Use Active record flag

USN Journal Analysis

# Parse USN Journal for corroboration
MFTECmd.exe -f $J --csv output\
 
# fsutil on live system
fsutil usn readjournal C: csv > usn_journal.csv

Timestomping Tools (for detection awareness)

Tool Method
timestomp (Metasploit) SetFileTime API
PowerShell Set-ItemProperty .NET DateTime
NirSoft BulkFileChanger Batch timestamp edit
$STANDARD_INFORMATION patch Direct MFT edit

MITRE ATT&CK

  • T1070.006 - Indicator Removal: Timestomp
  • Tactic: Defense Evasion
  • Platforms: Windows

Scripts 1

agent.py8.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Timestomping detection agent for NTFS MFT analysis.

Detects MITRE T1070.006 (Timestomping) by comparing $STANDARD_INFORMATION
and $FILE_NAME timestamps in NTFS Master File Table entries. Identifies
anomalous nanosecond patterns and temporal inconsistencies.
"""

import argparse
import csv
import json
import os
import re
import sys
import datetime


TIMESTOMP_INDICATORS = {
    "zero_nanoseconds": "Nanosecond field is exactly 0000000 (common in timestomping tools)",
    "si_before_fn": "$STANDARD_INFORMATION created before $FILE_NAME created",
    "future_timestamp": "Timestamp is in the future",
    "pre_os_timestamp": "Timestamp predates the operating system install",
    "round_seconds": "Timestamp has perfectly round seconds (no fractional component)",
}


def parse_mft_csv(csv_path):
    """Parse analyzeMFT CSV output for timestamp analysis."""
    entries = []
    try:
        with open(csv_path, "r", encoding="utf-8", errors="replace") as f:
            reader = csv.DictReader(f)
            for row in reader:
                entry = {
                    "record_number": row.get("Record Number", ""),
                    "filename": row.get("Filename", row.get("Good", "")),
                    "si_created": row.get("SI Created", row.get("STD_INFO Creation date", "")),
                    "si_modified": row.get("SI Modified", row.get("STD_INFO Modification date", "")),
                    "si_accessed": row.get("SI Accessed", row.get("STD_INFO Access date", "")),
                    "si_entry_modified": row.get("SI Entry Modified", row.get("STD_INFO Entry date", "")),
                    "fn_created": row.get("FN Created", row.get("FN Creation date", "")),
                    "fn_modified": row.get("FN Modified", row.get("FN Modification date", "")),
                    "fn_accessed": row.get("FN Accessed", row.get("FN Access date", "")),
                    "fn_entry_modified": row.get("FN Entry Modified", row.get("FN Entry date", "")),
                    "in_use": row.get("Active", row.get("In Use", "")).lower() in ("true", "1", "yes"),
                }
                if entry["filename"]:
                    entries.append(entry)
    except FileNotFoundError:
        return {"error": f"File not found: {csv_path}"}
    return entries


def parse_timestamp(ts_str):
    """Parse various timestamp formats to datetime."""
    if not ts_str or ts_str in ("", "NoFNDate", "N/A"):
        return None
    formats = [
        "%Y-%m-%d %H:%M:%S.%f",
        "%Y-%m-%d %H:%M:%S",
        "%m/%d/%Y %H:%M:%S",
        "%Y-%m-%dT%H:%M:%S.%f",
        "%Y-%m-%dT%H:%M:%S",
    ]
    for fmt in formats:
        try:
            return datetime.datetime.strptime(ts_str.strip(), fmt)
        except ValueError:
            continue
    return None


def detect_timestomping(entries, os_install_date=None):
    """Analyze MFT entries for timestomping indicators."""
    if os_install_date is None:
        os_install_date = datetime.datetime(2020, 1, 1)
    now = datetime.datetime.now()
    findings = []

    for entry in entries:
        if isinstance(entry, dict) and "error" in entry:
            continue
        reasons = []
        si_created = parse_timestamp(entry.get("si_created", ""))
        fn_created = parse_timestamp(entry.get("fn_created", ""))

        # Check zero nanoseconds
        si_str = entry.get("si_created", "")
        if ".0000000" in si_str or (si_str and re.search(r"\.\d{6}0$", si_str)):
            reasons.append("zero_nanoseconds")

        # Check SI before FN (most reliable indicator)
        if si_created and fn_created:
            if si_created < fn_created - datetime.timedelta(seconds=2):
                reasons.append("si_before_fn")

        # Check future timestamps
        if si_created and si_created > now + datetime.timedelta(days=1):
            reasons.append("future_timestamp")

        # Check pre-OS timestamps
        if si_created and si_created < os_install_date:
            if fn_created and fn_created >= os_install_date:
                reasons.append("pre_os_timestamp")

        # Check perfectly round timestamps
        if si_created and si_created.microsecond == 0:
            si_mod = parse_timestamp(entry.get("si_modified", ""))
            if si_mod and si_mod.microsecond == 0:
                reasons.append("round_seconds")

        if reasons:
            findings.append({
                "filename": entry.get("filename", ""),
                "record_number": entry.get("record_number", ""),
                "si_created": entry.get("si_created", ""),
                "fn_created": entry.get("fn_created", ""),
                "indicators": reasons,
                "descriptions": [TIMESTOMP_INDICATORS.get(r, r) for r in reasons],
                "confidence": "HIGH" if "si_before_fn" in reasons else "MEDIUM",
                "mitre": "T1070.006",
            })

    return findings


def generate_report(entries, findings):
    """Generate timestomping analysis report."""
    return {
        "timestamp": datetime.datetime.utcnow().isoformat() + "Z",
        "total_mft_entries": len(entries) if isinstance(entries, list) else 0,
        "total_findings": len(findings),
        "high_confidence": sum(1 for f in findings if f.get("confidence") == "HIGH"),
        "medium_confidence": sum(1 for f in findings if f.get("confidence") == "MEDIUM"),
        "indicator_counts": dict(collections.Counter(
            ind for f in findings for ind in f.get("indicators", [])
        )) if findings else {},
        "mitre_technique": "T1070.006 - Indicator Removal: Timestomp",
    }


# Need collections for generate_report
import collections


def main():
    parser = argparse.ArgumentParser(
        description="NTFS timestomping detection via MFT analysis (MITRE T1070.006)"
    )
    parser.add_argument("mft_csv", nargs="?", help="Path to analyzeMFT CSV output")
    parser.add_argument("--os-install", help="OS install date (YYYY-MM-DD) for baseline")
    parser.add_argument("--high-only", action="store_true", help="Show only HIGH confidence findings")
    parser.add_argument("--output", "-o", help="Output JSON report path")
    args = parser.parse_args()

    print("[*] Timestomping Detection Agent (MITRE T1070.006)")
    print("[*] Compares $STANDARD_INFORMATION vs $FILE_NAME timestamps")

    if not args.mft_csv:
        print("\n[DEMO] Usage:")
        print("  1. Extract MFT: ftkimager /path/to/image mft_output")
        print("  2. Parse MFT: analyzeMFT.py -f $MFT -o mft.csv")
        print("  3. Detect: python agent.py mft.csv [--os-install 2022-01-15]")
        print("\n  Indicators detected:")
        for name, desc in TIMESTOMP_INDICATORS.items():
            print(f"    - {name}: {desc}")
        print(json.dumps({"demo": True, "indicators": len(TIMESTOMP_INDICATORS)}, indent=2))
        sys.exit(0)

    os_date = None
    if args.os_install:
        try:
            os_date = datetime.datetime.strptime(args.os_install, "%Y-%m-%d")
        except ValueError:
            print(f"[!] Invalid date format: {args.os_install}")

    entries = parse_mft_csv(args.mft_csv)
    if isinstance(entries, dict) and "error" in entries:
        print(f"[!] {entries['error']}")
        sys.exit(1)

    findings = detect_timestomping(entries, os_date)
    if args.high_only:
        findings = [f for f in findings if f.get("confidence") == "HIGH"]

    report = generate_report(entries, findings)
    print(f"[*] MFT entries analyzed: {report['total_mft_entries']}")
    print(f"[*] Timestomping findings: {report['total_findings']}")
    print(f"    HIGH confidence: {report['high_confidence']}")
    print(f"    MEDIUM confidence: {report['medium_confidence']}")

    for f in findings[:20]:
        print(f"  [{f['confidence']}] {f['filename']}")
        for desc in f["descriptions"]:
            print(f"    - {desc}")

    if args.output:
        full_report = {"summary": report, "findings": findings}
        with open(args.output, "w") as f:
            json.dump(full_report, f, indent=2)

    print(json.dumps(report, indent=2))


if __name__ == "__main__":
    main()
Keep exploring