File Name: SetMACE
File Submitter: joakim
File Submitted: 04 Dec 2011
File Updated: 03 Dec 2013
File Category: Security
This is an advanced filesystem timestamp manipulating tool. Some interesting features;
- Support for files and directories.
- Complete 64-bit timestamp (including the nanoseconds).
- Native 64-bit OS support (as well as 32-bit).
- Complete support for both $FILE_NAME and $STANDARD_INFORMATION timestamps, without workarounds.
- Clone timestamps from a second file (removed in v1007).
- Dump all filesystem timestamps (up to 4+4+4)...
- Dump timestamp information from within shadow copies.
- Damn hard to detect a manipulated timestamp..
From the readme.txt:
This is a filesystem timestamp manipulation tool, originally inspired by good old timestomp. It's usage is probably most extraordinary when used on NTFS, where both $STANDARD_INFORMATION and $FILE_NAME attributes are supported. It will set all 4 MACE timestamps (reason for the app name), whereas on FAT it will set all 3 available (MAC), see earlier versions. On NTFS 4 timestamps are available in the $STANDARD_INFORMATION attribute which are available for modification. The 4 timestamps in the $FILE_NAME attribute are not easily modified. However by writing directly to physical disk, the $FILE_NAME can also be tweaked. Be sure to have read the warning below! The $FILE_NAME attribute can be present twice, giving it 8 possible timestamps. Short filenames have only 1 $FILE_NAME attribute (4 timestamps) whereas files with long filenames have 2 $FILE_NAME attributes (4+4 timestamps). If links (for instance hardlinks) are present, even more $FILE_NAME It's all supported.
- Parameter 1 is input/target file. Must be full path like C:\folder\file.ext
- Parameter 2 is determining which timestamp to update.
"-m" = LastWriteTime
"-a" = LastAccessTime
"-c" = CreationTime
"-e" = ChangeTime (in $MFT)
"-z" = all 4
"-d" = Dump existing timestamps (in UTC and adjusted for timezone configuration)
- Parameter 3 is the wanted new timestamp. Format must be strictly followed like; "1954:04:01:22:39:44:666:1234". That is YYYY:MM:DD:HH:MM:SS:MSMSMS:NSNSNSNS. The smallest possible value to set is; "1601:01:01:00:00:00:000:0001". Timestamps are written as UTC 0.00 and thus will show up in explorer as interpreted by your timezone location. Note that nanoseconds are supported.
- Parameter 4 determines if $STANDARD_INFORMATION or $FILE_NAME attribute or both should be modified.
"-si" will only update timestamps in $STANDARD_INFORMATION (4 timestamps), or just LastWriteTime, LastAccessTime and CreationTime (3 timestamps) for non-NTFS.
"-fn" will only update timestamps in $FILE_NAME (4 timestamps for short names and 8 timestamps for long names).
"-x" will update timestamps in both $FILE_NAME and $STANDARD_INFORMATION (8 or 12 timestamps depending on filename length).
Directories are also supported just like regular files. Beware that for long filenames it is not possible to set different values in the two sets. And thinking about it, it makes no sense to support such either. On nt6.x (Vista - Windows 8), it is not easily possible to modify timestamps on the systemdrive when the host OS is running (unless you implement a kernel mode driver that can give you a "SL_FORCE_DIRECT_WRITE". However booting to WinPE (CD, USB, PXE etc) will let this tool write directly to the volume that the local system (systemdrive) is on. This restriction is only applicable to this tool on nt6.x and the systemdrive when host is running. Also beware that on nt6.x target volume will be automatically locked/dismounted prior physical disk writing, so be sure no heavy filesystem activity is going on on that volume when using this tool.
Dumping information with the -d switch
From version 126.96.36.199 the -d switch will also dump timestamp information from the target volume, as well as from present any shadow copies of that volume. So if the volume that the target file resides on, also have shadow copies, the -d switch will also dump information for the same MFT reference for every relevant shadow copy. Matching shadow copies are identified by the volume name and serial number. The dumped information includes filename, parent ref, sequence number and hardlink number to help identify if the same file actually holds a particular MFT ref across shadow copies.
Get MFTRCRD from http://reboot.pro/fi...ols-collection/ and quickly dump a substantial amount of information about the file (all timestamps ++++).
Bypassing the filesystem and writing to physical disk is by nature a risky operation. Having said that, I have tested this new version on both XP sp3 x86 and Windows 7 x64, on which it works fine. This new method of timestamp manipulation is a whole lot harder to detect. In fact, I can't think of any method, except the presence of this tool, but does not say what the tool did. Earlier versions left traces in the the $LogFile. I will still call this new version kind of experimental. I take no responsibility for any loss of data by the usage of this tool! Use only for educational purposes in non-productional environments!
Setting the CreationTime in the $STANDARD_INFORMATION attribute:
setmace.exe C:\file.txt -c "2000:01:01:00:00:00:789:1234" -si
Setting the LastAccessTime in the $STANDARD_INFORMATION attribute:
setmace.exe C:\file.txt -a "2000:01:01:00:00:00:789:1234" -si
Setting the LastWriteTime in the $FILE_NAME attribute:
setmace.exe C:\file.txt -m "2000:01:01:00:00:00:789:1234" -fn
Setting the ChangeTime(MFT) in the $FILE_NAME attribute:
setmace.exe C:\file.txt -e "2000:01:01:00:00:00:789:1234" -fn
setting all 4+4 timestamps in the $FILE_NAME attribute for a file with long filename:
setmace.exe "C:\a long filename.txt" -z "2000:01:01:00:00:00:789:1234" -fn
setting 1+1 timestamps ($MFT creation time * 2) in the $FILE_NAME attribute for a file with long filename:
setmace.exe "C:\a long filename.txt" -e "2000:01:01:00:00:00:789:1234" -fn
Setting all 4+4 (or 4+8) timestamps in both $STANDARD_INFORMATION and $FILE_NAME attributes:
setmace.exe C:\file.txt -z "2000:01:01:00:00:00:789:1234" -x
Setting the LastWriteTime in both $STANDARD_INFORMATION and $FILE_NAME attribute of root directory (defined by index number):
setmace.exe C:5 -m "2000:01:01:00:00:00:789:1234" -x
Dumping all timestamps for $MFT itself:
setmace.exe C:\$MFT -d
setmace.exe C:0 -d
Click here to download this file