SANS Digital Forensics and Incident Response Blog: Tag - artifacts

PowerShell Timestamp Manipulation

Manipulating timestamps on Unix and Linux systems is as simple as touching a file on the file system. Of course, the individual attempting to modify timestamps will need to have permissions to do so on the file(s) in question.

On Windows based systems changing time stamps has historically required the use of third-party tools. However, Windows 7 and Windows Server 2008 will reportedly ship with Windows PowerShell installed.

Among the many advanced capabilities of Windows PowerShell is the ability to modify three different timestamps for Windows file systems. These are the file creation time, last access time and modification time. Forensic analysts should also be familiar with the metadata change time that is updated to reflect changes in