http://gnuwin32.sourceforge.net/packages/coreutils.htm At that page, you'll find win32 ports of common *nix utilities. touch.exe will change the modified, accessed, and created times, but not the mft-entry-modifed time.
http://www.foryoursoft.com/ftedit2.htm http://www.attributemagic.com/ or it's watered down free version http://www.attributemagic.com/attributemagic_free.html (which is my favorite because they actually use 'contradistinction' in a sentence with a straight face) http://www.fileedge.com/get/change-attributes/ (a list of a bunch of utilities that do this) These are just a few of the dozens that google found that most all include a pretty GUI, but again, only changes 3 of the 4 time stamps. Which, really is an issue since the entry-modified timestamp will get updated to the time that the timstamp changing utility was used to change the other times - kind of a giveaway that something isn't right when you look at the timeline in your forensics utils. So... The *only* one I've seen that can change that 4th time, and the one that I would recommend above any of the others is 'timestomp': http://metasploit.com/projects/antiforensics/ http://metasploit.com/projects/antiforensics/timestomp.exe As a side note: Another issue you'll run into with changing the timestamps in NTFS is the *other* set timestamps... the timestamps that you see are stored in the file's $standard_information attribute, but there is another set in each of the $file_name attribute(s) and another in that file's entry in the directory listing - and they quite often don't match since the $si attribute is the only one that gets updated regularly. But, if the $si attribute's timestamps are before the $fn's timestamps, you know something has been fiddled with. But, since you have to go out of your way to see the $fn's set of timestamps, you would have to really want to dig to even notice. cheers
