Why might an attacker need to use a tool like WinHex after API-based timestamp modification?

Even after using NtSetInformationFile to set all four timestamps, some forensic checks compare values in $STANDARD_INFORMATION and $FILE_NAME MFT locations. WinHex can directly modify these offsets to ensure consistency, eliminating residual evidence of timestamp manipulation.

---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format