tag:blogger.com,1999:blog-8453453300736107961.post5858623520123003332..comments2024-02-21T03:31:19.668-05:00Comments on obscuresec: Modifying MAC properties with PowerShellChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8453453300736107961.post-33413083751442516792014-05-27T21:05:42.869-04:002014-05-27T21:05:42.869-04:00Yep, I mentioned that in the last line but I guess...Yep, I mentioned that in the last line but I guess its not clear. The tool "TimeStomp" modifies not only the (M)odified, (A)ccessed and (C)reated file properties but also the MFT (E)ntry which allows it to stand up to forensic scrutiny. Since I have no interest in standing up to forensic scrutiny, only hiding from admins, MAC is enough for me. Thanks for the comment.Chrishttps://www.blogger.com/profile/10815120708533310068noreply@blogger.comtag:blogger.com,1999:blog-8453453300736107961.post-62613211372283388042014-05-23T00:35:53.998-04:002014-05-23T00:35:53.998-04:00That's only half of the story from a forensics...That's only half of the story from a forensics standpoint. This is already fairly commonly used by criminals, stomping the file attributes. However the raw MFT data will still have the original values of creation time. So to really leave no trace, those need to be stomped as well. :)<br /><br />http://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspxseanhttps://www.blogger.com/profile/07877786082604839327noreply@blogger.com