What forensic approach can detect that file timestamps have been altered by an attacker?
Forensic analysts should examine both the $STANDARD_INFORMATION and $FILE_NAME attributes in the MFT. If MFTChangeTime is later than the other three timestamps, it indicates tampering. Tools like SetMace can be used to view these attributes, and anomalies suggest unauthorized modification.
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format
forensicsMFT$STANDARD_INFORMATION$FILE_NAMEMFTChangeTimeSetMace