How can an attacker modify file timestamps to cover tracks after deploying files on a target system?
An attacker can use tools like FileTimeControl_WinAPI (via SetFileTime) to modify CreateTime, AccessTime, and LastWriteTime, or FileTimeControl_NTAPI (via NtSetInformationFile) to also modify MFTChangeTime. To fully eliminate traces, they may need to use low-level tools like WinHex to directly alter the $STANDARD_INFORMATION and $FILE_NAME attributes in the Master File Table.
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Zimbra SOAP API Development Guide
- Unauthorized file copying via COM component IFileOperation
- Setting Up ADAudit Plus Vulnerability Debugging Environment
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Zimbra SOAP API Development Guide
- Unauthorized file copying via COM component IFileOperation
- Setting Up ADAudit Plus Vulnerability Debugging Environment
timestompSetFileTimeNtSetInformationFileMFTChangeTimeanti-forensics