Anser is wrong. per CHFI V10 material: To detect timestamp forgery on NTFS file system, the forensic investigator can employ forensic tools such as analyzeMFT to compare $STANDARD INFORMATION and $FILE NAME ATTRIBUTES
As per https://www.offsec.com/metasploit-unleashed/timestomp/
"Usage: timestomp OPTIONS file_path
OPTIONS:
-a Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c Set the "creation" time of the file
-e Set the "mft entry modified" time of the file
-f Set the MACE of attributes equal to the supplied file
-h Help banner
-m Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z Set all four attributes (MACE) of the file"
It looks like timestomp can only perform Timestomping and not identify it.
upvoted 1 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
zybr
Highly Voted 1 year, 4 months agoElb
Most Recent 6 months agocdewet
1 year, 3 months ago