Timestomp Challenge - EG-CTF 2025 Forensics Write-up

Challenge Description

The goal of this challenge is to determine which file was responsible for timestomping activity.

1. Mounting the Evidence

• Opened Timestomped.E01 using FTK Imager.

• Exported $MFT and $LogFile from:

2. $MFT Analysis (MFTECmd)

Command used:

.\MFTECmd.exe -f " path to \`$MFT" --csv " output path \ MFT.csv"

3. $LogFile Analysis (NTFS Log Tracker)

• Loaded the $LogFile along with the corresponding $MFT into NTFS Log Tracker.

• Exported the parsed log to .csv format and saved it in the same output folder.

4. Timeline Correlation using Timeline Explorer

• Opened both:

• mft.csv (from MFTECmd)

• logfile.csv (from NTFS Log Tracker)

MY approach:

NTFS keeps two copies of timestamps for each file:

What I did to detect timestomping

I loaded the $MFT file and compared:

• Created0x10 (from $STANDARD_INFORMATION)

• Created0x30 (from $FILE_NAME)

• And the same for Modified, Accessed, and Record Changed.

For normal files, these pairs are usually: ✅ Very close (within a second or two) ❌ If there’s a large difference → something’s wrong.

The file responsible for timestomping is:

file_example_XLS_5000.xls

The Evidence from file_example_XLS_5000.xls

The timestamps in $SI are older, while $FN has the correct (newer) times.

This mismatch shows that someone manually changed the $SI times to make the file look older — this is exactly how timestomping works.

Why I chose this file

It’s the only file in the MFT where:

• All 4 timestamps in $SI are different from $FN

• The $SI values are backdated

• This exact behavior is what timestomping tools do