After reading about the release of setMACE , I became curious as to exactly how setMACE works and the forensic consequences if such a program is used maliciously, so I decided to look into this particular program a bit closer. Compared with existing timestamp altering programs like timestomp, setMACE allows a user to modify the $FILE_NAME timestamp values within NTFS file systems (as opposed to only modifying the $STANDARD_INFORMATION timestamps). On a general note, if you’re looking for more detailed information about NTFS and other file systems, I strongly suggest reading Brian Carrier’s book.
The author of setMACE provides an explanation as to how the program works in the readme file included with the download, but naturally I wanted to see for myself. I set up procmon to capture the chain of events occurring when a file’s timestamps are altered using setMACE. What I noticed appeared to be consistent with the author’s explanation. Thus, my interpretation of the steps setMACE follows to alter timestamps is below.