How to identify timestomping

Timestomping is when the creation or access data timestamps are modified to throw investigators off. This is something you want to check for on executables as well as potential malware files.

On a mounted image, get the standard information creation and filename creation data with istat:

istat /path/to/executable/or/file

If you have the MFT entry (or MFT record number) you can also use istat directly on the E01 image:

istat /path/to/image.E01 <record number>

In the output, look at the “Created:” timestamp in both the $STANDARD_INFORMATION and the $FILE_NAME attribute values.  The way NTFS works, the file is named before data is written to it, so if the $STANDARD_INFORMATION creation time is before the $FILE_NAME creation time, chances are that someone modified it.