May 2, 2025

In today’s exercise, we’re Reverse Engineering: File Create, Access, and Modify Times 🧩 Quick Overview In this investigation, we will: Introduction to File Timestamps: Definition of Timestamps in Forensics: In malware analysis, file timestamps offer clues about the origin, activity, and behavior of potentially malicious files. They represent critical moments in a file’s lifecycle, enabling analyst’s to reconstruct the timeline of a system compromise. Importance in Malware Analysis and Reverse Engineering: Types of Timestamps: Creation Time: What it Represents: The creation time marks when the file was first written to disk in its current form. This could vary depending on the operating system. In Practice: In some cases, copying a file might reset the creation time, as it’s considered a new file in the new location. Uses: I believe it’s useful for identifying when files were first added to a system or storage, often relevant in auditing and forensics. Access Time: What it Represents: The last time the file was accessed or opened, even if no changes were made. How it Works: Reading or executing a file updates the access time. Modification Time: What it Represents: The last time the file’s contents were modified. In Practice: This timestamp changes only when the file’s contents are altered. Uses: Essential for version control, data integrity, and determining when a file was last actively worked on. Viewing File Timestamps in Different Operating Systems Windows In Windows, you can view timestamps by right-clicking a file, selecting Properties, and checking the Details tab. Alternatively, use the Command Prompt: Linux/Unix: Let’s Dive Into a Live stat Command Demo: I’m jumping into my Kali Linux instance on VirtualBox, and I’m currently in the examples directory. Let’s start by running the “ls” command. After we will use the command “file hello.c” and we can see it’s a C source code, ASCII text. Now using the command “ls -l” will show us the last modified time of the files in the directory and we can see it was modified May 1st at 19:36 which is 7:36 PM. We can also use the stat command to view the modified time, along with the access and change times. As you can see, the access time was 19:43:26 — that’s 7:43 p.m. and 26 seconds. These timestamps are much more precise than what you get with the “ls” command. You can clearly see the modify time and the change time as well. Now let’s go ahead and modify the hello.c file. We can do that by using the “vi hello.c” command. The vi editor is a text editor that comes pre-installed on most Linux systems. It lets you view and edit files directly from the terminal. Once you’re inside vi, the file opens in command mode by default. To start editing the file, press “i” on your keyboard — this switches you into insert mode, where you can type and make changes to the file just like in any other text editor. “When you’re done editing, press Esc to exit insert mode, then type “:wq” and hit Enter to save and quit. If you want to quit without saving, type “:q!” and press Enter.” Now, let’s run the stat command. You’ll notice that the access, modify, and change times all update to the time when I made the modification. This is important to know that when we modify the time we also change the access time. Remember the access time is when we read the file. So if I wanted to I can just look at this file or read this file by using “vi” and I’m not going to make any changes with inside this file. We’ve just opened it within vim. And if I escape and quit and do the stat command. You can see that the last access time has changed, but the modified time hasn’t — that’s because we didn’t actually change the contents of the file. The change time also remains the same, since we didn’t rewrite the file to disk, move it, or copy it elsewhere. However, because we did read and access the file, the access time was updated. This shows how each of these timestamps serves a specific purpose and why they’re important to understand. Now let’s move the file by renaming it. I’ll use the command: “mv hello.c helloOne.c.” The “mv” command in Linux is used to move or rename files. In this case, since both the source and destination are in the same directory, we’re effectively just renaming hello.c to helloOne.c. Let’s use the stat command to take a look at how the timestamps have changed. You’ll notice that the change time for hello.c is different — that’s because we modified the file’s metadata by renaming it. However, we didn’t alter the contents of the file, so the modify time remains the same as before. This demonstrates how important these timestamps are. For example, reverse engineers and malware analysts often rely on them to build timelines or to analyze the behavior of malware as it interacts with itself and other files.