← All cases
AF-011 · Temporal
Timestamp Forging via Timestomper (LNK Corroboration)
✓ Validated timestamp-manipulation Windows 10
Contributed by @ioi-framework · 2025-01-01 · View IoI rule →
Dependent artifacts LNK $MFT
Sample JSON-LD LNK reproducible sample MFT reproducible sample
Reproducibility bundle Zenodo DOI ↗

Summary

This case demonstrates timestomping detection using LNK (shortcut) file analysis. When a file is timestomped using timestomper.exe, the MFT $STANDARD_INFORMATION (0x10) timestamps are modified. However, LNK shortcut files preserve the original target file timestamps from when the shortcut was created. Comparing LNK timestamps with current MFT timestamps reveals the forgery.

Scenario Steps

1. Set Up — Created password.docx on the Windows system. Created shortcut password.lnk pointing to password.docx. Captured the original timestamps of password.docx.

2. Tampering — Used timestomper.exe to forge timestamps of password.docx. The SetFileTime API modifies MFT $STANDARD_INFORMATION (0x10) timestamps; $FILE_NAME (0x30) timestamps remain unchanged.

3. Evidence Collection — Extracted $MFT using forensic tools. Extracted password.lnk shortcut file. Compared LNK target timestamps with MFT timestamps.

Ground Truth Criteria

  • LNK shortcut creation time matches MFT $FILE_NAME (0x30) timestamp — both preserve original time
  • MFT $STANDARD_INFORMATION (0x10) timestamp differs from LNK and $FILE_NAME timestamps
  • MFT entry number links LNK target to MFT record

Inconsistency Summary

When timestomper.exe modifies password.docx timestamps, it only changes the MFT $STANDARD_INFORMATION (0x10) attribute. The LNK shortcut file retains the original target creation time. The $FILE_NAME (0x30) attribute in MFT also preserves the original timestamp. Detection: LNK shortcut time ≈ MFT $FN (0x30), but MFT $SI (0x10) differs.

Detection Logic

-- Step 1: Get LNK file info with target timestamps
FIND lnk_files
  RETURN targetMftEntryNumber, targetCreatedTime, shortcutCreatedTime

-- Step 2: Get MFT timestamps for same entry number
FIND mft_entries WHERE mft_entries.entryNumber = lnk_files.targetMftEntryNumber
  RETURN created0x10 AS mftSiCreated, created0x30 AS mftFnCreated

-- Detection Rule
IF lnkShortcutCreated != mftSiCreated
  AND truncate_to_seconds(lnkShortcutCreated) = truncate_to_seconds(mftFnCreated)
THEN FLAG 'AF-011: Timestomping Detected via LNK Analysis'