In today’s exercise, we’re Reverse Engineering: File Create, Access, and Modify Times
🧩 Quick Overview
In this investigation, we will:
- Explain what file timestamps are and their purpose in operating systems.
- Define and distinguish between the three main timestamps: creation time, access time, and modification time.
- Understand how to view and interpret timestamps in different operating systems.
- Discuss practical applications and implications of file timestamps.
Introduction to File Timestamps:
Definition of Timestamps in Forensics:
In malware analysis, file timestamps offer clues about the origin, activity, and behavior of potentially malicious files. They represent critical moments in a file’s lifecycle, enabling analyst’s to reconstruct the timeline of a system compromise.
Importance in Malware Analysis and Reverse Engineering:
- Evidence Collection: Timestamps serve as evidence to identify when malware was dropped, accessed, or altered.
- Timeline Reconstruction: Knowing when files were created, accessed, or modified helps analysts reconstruct events leading up to, during, and after an attack.
- Detection of Anti-Forensic Techniques: Malware may attempt to manipulate timestamps to avoid detection.
Types of Timestamps:
- Creation Time: When the file was originally created.
- Access Time: When the file was last read.
- Modification Time: When the file was last written to or modified.
Creation Time:
What it Represents:
The creation time marks when the file was first written to disk in its current form. This could vary depending on the operating system.
In Practice:
In some cases, copying a file might reset the creation time, as it’s considered a new file in the new location.
- In Unix/Linux, creation time is not always preserved, as it may show when the file was added to a particular directory.
Uses:
I believe it’s useful for identifying when files were first added to a system or storage, often relevant in auditing and forensics.
Access Time:
What it Represents:
The last time the file was accessed or opened, even if no changes were made.
How it Works:
Reading or executing a file updates the access time.
- On many systems, frequent updates to access times can slow performance, so some systems only update a time periodically.
Modification Time:
What it Represents:
The last time the file’s contents were modified.
In Practice:
This timestamp changes only when the file’s contents are altered.
- It’s distinct from metadata changes; renaming or changing file permissions does not affect mtime
Uses:
Essential for version control, data integrity, and determining when a file was last actively worked on.
Viewing File Timestamps in Different Operating Systems
Windows
In Windows, you can view timestamps by right-clicking a file, selecting Properties, and checking the Details tab.
Alternatively, use the Command Prompt:
- dir command shows basic timestamps.
- forfiles command can be used to query and filter files by date.
Linux/Unix:
- In Linux, the ls -l command shows modification time.
- Use stat <filename> to view a full set of timestamps.
Let’s Dive Into a Live stat Command Demo:
I’m jumping into my Kali Linux instance on VirtualBox, and I’m currently in the examples directory. Let’s start by running the “ls” command.
After we will use the command “file hello.c” and we can see it’s a C source code, ASCII text.
Now using the command “ls -l” will show us the last modified time of the files in the directory and we can see it was modified May 1st at 19:36 which is 7:36 PM.
We can also use the stat command to view the modified time, along with the access and change times. As you can see, the access time was 19:43:26 — that’s 7:43 p.m. and 26 seconds. These timestamps are much more precise than what you get with the “ls” command. You can clearly see the modify time and the change time as well.
Now let’s go ahead and modify the hello.c file. We can do that by using the “vi hello.c” command. The vi editor is a text editor that comes pre-installed on most Linux systems. It lets you view and edit files directly from the terminal.
Once you’re inside vi, the file opens in command mode by default. To start editing the file, press “i” on your keyboard — this switches you into insert mode, where you can type and make changes to the file just like in any other text editor.
“When you’re done editing, press Esc to exit insert mode, then type “:wq” and hit Enter to save and quit. If you want to quit without saving, type “:q!” and press Enter.”
Now, let’s run the stat command. You’ll notice that the access, modify, and change times all update to the time when I made the modification. This is important to know that when we modify the time we also change the access time. Remember the access time is when we read the file.
So if I wanted to I can just look at this file or read this file by using “vi” and I’m not going to make any changes with inside this file. We’ve just opened it within vim. And if I escape and quit and do the stat command.
You can see that the last access time has changed, but the modified time hasn’t — that’s because we didn’t actually change the contents of the file. The change time also remains the same, since we didn’t rewrite the file to disk, move it, or copy it elsewhere. However, because we did read and access the file, the access time was updated. This shows how each of these timestamps serves a specific purpose and why they’re important to understand.
Now let’s move the file by renaming it. I’ll use the command: “mv hello.c helloOne.c.” The “mv” command in Linux is used to move or rename files. In this case, since both the source and destination are in the same directory, we’re effectively just renaming hello.c to helloOne.c.
Let’s use the stat command to take a look at how the timestamps have changed. You’ll notice that the change time for hello.c is different — that’s because we modified the file’s metadata by renaming it. However, we didn’t alter the contents of the file, so the modify time remains the same as before. This demonstrates how important these timestamps are. For example, reverse engineers and malware analysts often rely on them to build timelines or to analyze the behavior of malware as it interacts with itself and other files.
