Anti-forensics
In the previous section, we saw that the penetration testing tasks leave behind multiple tracks and trails. A post-incident forensic investigation can reveal a lot about how the compromise happened. One of the important factors when performing a forensic analysis is timestamps. File timestamps help recreate a series of activities that might have happened.
Metasploit offers capabilities that could effectively be used in overriding timestamp values and mislead the forensic investigation.
At first, we use an exploit against our target to get Meterpreter access. Then we use the timestomp <filename> -v
command to list the various timestamps associated with the file:
We can now try to erase the timestamps of a file using the timestamp <filename> -b
command. This command will wipe out all the timestamps associated with the target file: