After reading about the release of setMACE , I became curious as to exactly how setMACE works and the forensic consequences if such a program is used maliciously, so I decided to look into this particular program a bit closer. Compared with existing timestamp altering programs like timestomp, setMACE allows a user to modify the $FILE_NAME timestamp values within NTFS file systems (as opposed to only modifying the $STANDARD_INFORMATION timestamps). On a general note, if you’re looking for more detailed information about NTFS and other file systems, I strongly suggest reading Brian Carrier’s book.
The author of setMACE provides an explanation as to how the program works in the readme file included with the download, but naturally I wanted to see for myself. I set up procmon to capture the chain of events occurring when a file’s timestamps are altered using setMACE. What I noticed appeared to be consistent with the author’s explanation. Thus, my interpretation of the steps setMACE follows to alter timestamps is below.
Excellent work on this. Do you mind if I reference this post in my Anti-Forensic course? I would like to give credit where it's due, what is your real name?
Thanks, glad to hear you enjoyed it. My real name is Jason Hale, and feel free to reference this post for your class.
Good to see others in the community looking at things like this and presenting other forensic artifacts to look for – I did a similar write-up a bit ago http://goo.gl/Ioeb2
MyKey Technology MFTRipper would also be VERY helpfull here. They decode the MFT giving you the full time to the millisecond whereas setMACE only sets to the second leaving the millisecond at "000". Also the record sequence numbers would change and the other 8 dates and times would not be affected. Remember the MFT keeps more than the standard dates and times, there are 3 possible sets of 4 dates and times
$SI, $FN, what is the third set?
The three sets are $SI and two $FN attributes (long and short file name).