Skip to content
Log in

Timestomping

Falsification of file system timestamps to mislead a timeline analysis. The Metasploit tool timestomp.exe and the open-source SetMACE are the canonical references. NTFS keeps two timestamp sets ($STANDARD_INFORMATION and $FILE_NAME) and many tools only modify the first set, which is the basis of the counter-move.

Explained in

Related terms

Anti-forensicsCold-boot attackSteganographyUSN journalVeraCrypt hidden volume

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account