Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics

Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.

Signals

•Event ID 1102 (Security log cleared) or Event ID 104 (System log cleared) detected
•$STANDARD_INFORMATION timestamps do not match $FILE_NAME timestamps in the MFT (timestomping indicator)
•Prefetch files or AmCache entries have been selectively deleted
•Known anti-forensic tools (Timestomp, CCleaner, SDelete) identified in process telemetry or on disk

Pivot Actions

1.Use $MFT $FILE_NAME timestamps (harder to modify) and USN Journal entries as a more reliable timeline source
2.Cross-reference endpoint timestamps with external sources (DC logs, SIEM, proxy) that the attacker could not reach
3.Analyze NTFS artifacts ($LogFile, $UsnJrnl) which often retain evidence of the original file operations even after timestomping
4.Look for evidence of the anti-forensic tool execution itself -- the act of clearing logs leaves its own forensic trail

Alternate Evidence Sources

•NTFS $MFT $FILE_NAME timestamps and $UsnJrnl:$J change records
•Domain controller and SIEM logs that exist outside attacker control
•Cloud audit logs (M365 UAL, Azure AD) independent of on-prem manipulation
•EDR telemetry recorded in a cloud-hosted backend beyond attacker reach

Related Procedures

Bound the Investigation Timeframe

triage

Log Preservation and Snapshot

preserve

Lateral Movement Analysis and Mapping

analyze