Webcast Replay – How to Identify Timestomping Using KAPE

June 15, 2022
Join Kroll's Andrew Rathbun as he walks through how to detect Timestomping using KAPE.
Watch the Webcast Replay

Timestomping is a common anti-forensic tactic that threat actors use in order to hide their tools on a victim’s file system. Detecting and analyzing timestomping can be time-consuming for examiners, but with a combination of the Kroll Artifact Parser and Extractor (KAPE), MFTECmd and Timeline Explorer, the process is expedited, allowing examiners to focus on data instead of worrying about parsing files.

In this session, Kroll expert Andrew Rathbun demonstrates how to use KAPE, MFTECmd and Timeline Explorer to acquire, parse and analyze an $MFT file to detect timestomping.

This webcast covers:

  • The basic KAPE workflow, calling MFTECmd via KAPE Modules
  • The benefits of MFTECmd
  • How to collect and parse the $MFT with KAPE and MFTECmd
  • How to detect timestomping in the parsed $MFT with Timeline Explorer

Download the webcast slides here.

Interested in learning more about KAPE? Register for one of our training and certification sessions today.

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Timestomping is a common anti-forensic tactic that threat actors use in order to hide their tools on a victim’s file system. Detecting and analyzing timestomping can be time-consuming for examiners, but with a combination of the Kroll Artifact Parser and Extractor (KAPE), MFTECmd and Timeline Explorer, the process is expedited, allowing examiners to focus on data instead of worrying about parsing files.

In this session, Kroll expert Andrew Rathbun will demonstrate how to use KAPE, MFTECmd and Timeline Explorer to acquire, parse and analyze an $MFT file to detect timestomping.

Read more about Timestomping in our Sophisticated Anti-Forensic Tactics and How To Spot Them series.

Key Takeaways

  • Understand the basic KAPE workflow, calling MFTECmd via KAPE Modules
  • Explore the benefits of MFTECmd
  • Collect and parse the $MFT with KAPE and MFTECmd
  • How to detect timestomping in the parsed $MFT with Timeline Explorer
 

Tools Used in This Session

 

Speaker

  • Andrew Rathbun, Vice President, Cyber Risk, Kroll
Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.