Computer forensic examiners rely heavily on timestamps during investigations. Timeline analysis is a critical technique in determining what happened and when. In 2005, timestomp.exe was released and this gave non-observant investigators a run for their money. Unfortunately, there are some gaps in what timestomp.exe will do. Observant investigators can identify timestomping and recover from that activity. Good timestomping requires knowing what time values need to get trashed, where these times are stored, AND what supporting artifacts need to be altered. This presentation examines several file systems and operating systems and identifies what needs to be tweaked in order to effectively hide one's tracks.