Completely change MACE timestamps?
2015-06-11 22:43
633 查看
Hi,
One of my friends Sandy asked me about the possibility of completely change MACE timestamps. As everybody knows that some tools could change MAC timestamps only. I told her that a tool whose name is "Timestomp" could change MACE timestamps,including Entry Modified Time. She was very surprise and ask me how to use "Timestomp". I will show you as below:
1. A file - test.txt . Look at its MAC timestamps "10/29/2013 09:44:35".
2. Use Timestomp to show MACE timestamps.
3. Now I use Timestomp to change MACE timestamps to earlier time such as "10/08/2005 14:34:56". You could see the MACE timestamps change as exaclty what I want.
4.If you are not sure MACE do change or not, I use other tool to verify the MACE timestamp of this file test.txt again. It works! All timestamps become "10/08/2005 14:34:56".
5. My friend she wonder if suspect use Timestomp to change MACE timestamps, how could I figure it out? Fortunately, there are two kinds of timestamps in MFT. They are Standard info and Filename info. I dump an MFT to csv and you could see them clearly. Even Timestomp could change MACE timestamps, it could only change Sandard info attributes, not including Filename info attributes. So we could take a look at MFT dump results and see if there is any abnormal timestamps between those two timestamp attributes.
One of my friends Sandy asked me about the possibility of completely change MACE timestamps. As everybody knows that some tools could change MAC timestamps only. I told her that a tool whose name is "Timestomp" could change MACE timestamps,including Entry Modified Time. She was very surprise and ask me how to use "Timestomp". I will show you as below:
1. A file - test.txt . Look at its MAC timestamps "10/29/2013 09:44:35".
2. Use Timestomp to show MACE timestamps.
3. Now I use Timestomp to change MACE timestamps to earlier time such as "10/08/2005 14:34:56". You could see the MACE timestamps change as exaclty what I want.
4.If you are not sure MACE do change or not, I use other tool to verify the MACE timestamp of this file test.txt again. It works! All timestamps become "10/08/2005 14:34:56".
5. My friend she wonder if suspect use Timestomp to change MACE timestamps, how could I figure it out? Fortunately, there are two kinds of timestamps in MFT. They are Standard info and Filename info. I dump an MFT to csv and you could see them clearly. Even Timestomp could change MACE timestamps, it could only change Sandard info attributes, not including Filename info attributes. So we could take a look at MFT dump results and see if there is any abnormal timestamps between those two timestamp attributes.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- DB2数据库性能监控和调优实践
- iOS开发学习第十五课——继承、初始化方法、便利构造器
- Java -数组-String字符串
- 认识自己——我的不足
- iOS 动画总结(一)
- ubutu ssh openWRT
- Hadoop DistributedCache使用案例
- AFNetworking 2.5.x 网络请求的封装
- Hibernate 学习笔记:Hibernate 项目开发中,NoSuchMethodError解决方法
- iPad app 开发概述 - iPad开发系列文章之二
- 类集概念总结
- acm-hdu5264解题报告
- 2015061102 - 在js中使用freemarker数据
- p124.45
- 随笔-2015-06-09
- 让OpenCV输出人脸检测的得分代码(置信率)
- Java ——面向对象
- POJ刷题
- 15陕西省赛——数学题——n维空间切d刀共能分成多少份???
- 指针以及内存分配