From a Digital Forensics and Incident Response (DFIR) perspective, timestomping is a technique used by attackers to conceal their presence on a compromised system. This is accomplished by altering the timestamp of files, making it more difficult to determine when the files were created or modified. Detecting timestomping can be challenging, as attackers may use various tools and techniques to modify timestamps. However, there are several methods that DFIR analysts can use to detect timestomping:
File Hash Comparison: Comparing the hashes of known good files with those on the compromised system can help identify any modified files, including those with timestomped timestamps.
Timeline Analysis: Analyzing the timestamps of files on the system and comparing them to system events can help identify any inconsistencies or anomalies that may indicate timestomping.
File Signature Analysis: Comparing the file signatures of files on the system with known good file signatures can help identify any files that have been tampered with, including those with timestomped timestamps.
File metadata analysis : Analysing the metadata of files using a tool like exiftool, to extract the original timestamps and other information which can be compared with the timestamps that the file system shows.
Use of specialized software : Using specialized software such as File System Forensic Analysis (FSFA) and Timeline Analysis and Reconstruction (TAR) can be helpful in identifying timestomping.
It is important to remember that timestomping is just one technique used by attackers to conceal their presence on a system, so a combination of methods and tools should be used for a thorough investigation.