Process “Timestomping”

This post is about thing so obvious that you will probably scratch your head why I am even writing about it. I think it is good to confirm your assumptions, test (and sometimes double test) stuff and I just happened to do it today, so since I have already done the homework, I thought it would be good to at least mention it just in case someone doesn’t know about it. So, you have been warned 🙂

Now, for the obvious part.

File timestomping is a well-known process of modifying timestamps of a file in order to hide its presence by ‘blending’ with the legitimate files.

Timestomping can be also applied to processes – malware can temporarily change the current date/time before it runs a hijacked process e.g. iexplore.exe, svchost.exe. Interestingly (but not surprisingly), the resulting process creation timestamp will be preserved by the system and tools retrieving this data, both live and offline memory analysis tools will all show the timestomped value.

In an example presented below, I changed the date on the system to 2008/1/1 and executed notepad.exe.

Both Process Explorer, and tools I used on an acquired memory dump (memoryze, volatility and red line) shown the timestomped process creation timestamp.