Completely change MACE timestamps?

Hi,

One of my friends Sandy asked me about the possibility of completely change MACE timestamps. As everybody knows that some tools could change MAC timestamps only. I told her that a tool whose name is "Timestomp" could change MACE timestamps,including Entry Modified Time. She was very surprise and ask me how to use "Timestomp". I will show you as below:

1. A file - test.txt . Look at its MAC timestamps "10/29/2013 09:44:35".

2. Use Timestomp to show MACE timestamps.

3. Now I use Timestomp to change MACE timestamps to earlier time such as "10/08/2005 14:34:56". You could see the MACE timestamps change as exaclty what I want.

4.If you are not sure MACE do change or not, I use other tool to verify the MACE timestamp of this file test.txt again. It works! All timestamps become "10/08/2005 14:34:56".

5. My friend she wonder if suspect use Timestomp to change MACE timestamps, how could I figure it out? Fortunately, there are two kinds of timestamps in MFT. They are Standard info and Filename info. I dump an MFT to csv and you could see them clearly. Even Timestomp could change MACE timestamps, it could only change Sandard info attributes, not including Filename info attributes. So we could take a look at MFT dump results and see if there is any abnormal timestamps between those two timestamp attributes.

时间: 2024-07-30 01:26:22

Completely change MACE timestamps?的相关文章

[转] stat命令输出结果中, Access,Modify,Change的含义

先建立一个空白文件a.txt 1 [[email protected] tmp]$ touch a.txt 2   3 [[email protected] tmp]$ ls -al a.txt 4   5 -rw-rw-r-- 1 emduser emd 0 Dec 14 16:44 a.txt 利用stat命令查看文件a.txt的各种属性 01 [[email protected] tmp]$ stat a.txt 02   03   File: `a.txt' 04   05   Size

一些常用基础命令

查看类    pwd : print name of current/working directory  打印当前工作目录:                   参数:              -P :显示出确实的路径,而非使用链接 (link) 路径. 实例: [[email protected] tmp]# pwd          #打印当前工作目录# /tmp [[email protected] var]# cd /var/mail [[email protected] mail]

马哥预习视频

马哥预习视频第三天 linux 根文件系统 回顾:linux文件系统的特性,命令的使用帮助,常用的命令 如何使用帮助,内部命令help,外部man 官方文档 自带文档(README,CHANGELOG,INSTALL) 发行版的文档 google Linux 内核:documentation man非常重要:manual,使用手册 章节有很多whatis keyword man # KEYWORD SECTION: NAME: SYNOPSIS [],<>,|,{} .. 控制命令 space

运维基础--Linux基础命令

 Linux基础命令 刚接触Linux,往往会有一个印象就是Linux操作起来比我们熟悉的windows难,其实不然,只要了解熟知了Linux的CLI界面诸多的命令的用法就能使很多在GUI界面下的操作变的无比简单:以下是Linux使用中的几个基础命令: 1.cd: cd [-L|-P] [dir]  改变shell 的工作目录,默认是用户的家目录: cd DIR:切换到DIR目录: cd:   切换至当前用户的家目录: cd - :将工作目录切换至上一次的工作目录:两个目录之间的来回切换! 原理

Linux起步第一程

---恢复内容开始--- 说起来你可能不信,咱头段时间还在累死累活搬砖,现在却坐在教室里学着高大上的Linux运维课程--个人感觉IT方面的工作就是nb啊! 所以就报班学了这门IT技能. 3月20号到今天,差不多上了7天的课程,虽然上课的节奏是上一天课自习一天,可对于我这个零基础的小白来说还是很吃力,刚开始上课新鲜东西太多了,整个人慌得不行,怕跟不上节奏.不过到今天为止慢慢适应了,也找到了自己感觉还行的学习方法,到目前为止个人感觉学好Linux主要就是懂原理.熟悉命令.输入法快,朝着这几点不怕学

Linux 文件和目录操作命令(17个)

文件和目录操作命令(17个) 1 ls ls命令的作用是以不同的方式,查看(列出)目录内的内容. [功能说明]:list directory contents [语法格式]:ls [OPTION]... [FILE]... 1.1 选项参数 -a※    --all            #<==以点开头的文件也显示出来,即显示隐藏的文件 -d※    --directory      #<==只列出目录 -l※    long             #<==以长格式显示 -F    

linux命令(6)--touch、stat命令

touch命令:touch - change file timestamps [功能] touch命令可创建空文件,也可以管理文件时间戳(需要指定选项) [语法] touch [option] filename  不加选项直接创建文件 [文件时间戳类型] access time  访问时间   读取文件后就修改了   //如使用cat之类的命令查看就变了 modify time  修改时间   改变文件内容(数据) change time  改变时间   元数据发生改变 [选项] 更改改时间戳选

touch命令总结

touch命令:修改文件时间戳. 常用参数:-a,-r,-d,-m:最常用就是不加参数,创建空文件. [[email protected] ~]# man touch Formatting page, please wait... TOUCH(1)                         User Commands                        TOUCH(1) NAME        touch - change file timestamps SYNOPSIS    

Introduction to WPF Templates(WPF模板简介)

Introduction(简介) Windows Presentation Foundation allows the developer to completely change the look and feel of the controls. This is accomplished by using Control Templates. It means you can render your Button as an Ellipse which when hovered will c