Author Archives: adam

Forensic Riddle #9d – Answer

Posted on by

Windows Explorer uses desktop.ini files to customize the look and feel of each individual folder. Apart from icon, or image, it is also possible to modify the folder’s name by replacing it with a name specified inside the desktop.ini file. The new name can be either a string inside a DLL, or a less-known mapping via LocalizedResourceName registry key (works at least for XP).

See screenshot for details:

Once I created one folder like this, I copied it multiple times and in the end created the folder full of ‘Riddles’:

Process “Timestomping”

Posted on by

This post is about thing so obvious that you will probably scratch your head why I am even writing about it. I think it is good to confirm your assumptions, test (and sometimes double test) stuff and I just happened to do it today, so since I have already done the homework, I thought it would be good to at least mention it just in case someone doesn’t know about it. So, you have been warned 🙂

Now, for the obvious part.

File timestomping is a well-known process of modifying timestamps of a file in order to hide its presence by ‘blending’ with the legitimate files.

Timestomping can be also applied to processes – malware can temporarily change the current date/time before it runs a hijacked process e.g. iexplore.exe, svchost.exe. Interestingly (but not surprisingly), the resulting process creation timestamp will be preserved by the system and tools retrieving this data, both live and offline memory analysis tools will all show the timestomped value.

In an example presented below, I changed the date on the system to 2008/1/1 and executed notepad.exe.

Both Process Explorer, and tools I used on an acquired memory dump (memoryze, volatility and red line) shown the timestomped process creation timestamp.