Computer forensic examiners rely heavily on timestamps during investigations. Timeline analysis is a critical technique in determining what happened and when. In 2005, timestomp.exe was released and this gave non-observant investigators a run for their money. Unfortunately, there are some gaps in what timestomp.exe will do. Observant investigators can identify timestomping and recover from that activity. Good timestomping requires knowing what time values need to get trashed, where these times are stored, AND what supporting artifacts need to be altered. This presentation examines several file systems and operating systems and identifies what needs to be tweaked in order to effectively hide one's tracks.
Michael Robinson has over 15 years of computer security experience and is currently a computer forensic examiner in the Washington, DC area, where he deals with e-discovery and intrusion analysis. For over four years he ran IT and IA operations for a Department of Defense agency. He teaches computer forensics at the graduate level at Stevenson University in Maryland. He earned two masters degrees - one in computer forensics and one in information security.