MFT $SI vs $FN detecting timestomping on NTFS

Timestomping is the deliberate alteration of file timestamps to obscure execution order or impede timeline reconstruction. The technique dates to the original timestomp tool released with Metasploit in 2005, and has remained common because the documented Win32 APIs — SetFileTime, NtSetInformationFile with the FileBasicInformation class — only touch the $STANDARD_INFORMATION attribute of the MFT record.

NTFS stores file metadata in two parallel attributes for every record. The asymmetry in how those two attributes are updated is the foundation of the detection rule that follows.

Each MFT record on NTFS contains:

• $STANDARD_INFORMATION ($SI) — attribute type 0x10. Holds the four MACE timestamps (Modified, Accessed, Created, MFT-Entry-modified) exposed by the Win32 file-time APIs. Writable from usermode.
• $FILE_NAME ($FN) — attribute type 0x30. Holds the same four MACE timestamps plus the filename and parent directory reference. Updated only by the kernel during file create, rename, hardlink, or move; not addressable through any documented API.

Both timestamp blocks are populated at file creation with identical values. After creation, normal file activity updates $SI constantly while $FN stays frozen until the next rename or move. A timestomp tool that calls SetFileTime rewrites $SI but cannot reach $FN.

The detection signature is therefore not “$FN is older than $SI” — that is the normal case. The signature is $SI is older than $FN, or $SI timestamps that fall outside a plausible window relative to $FN. Both are structurally impossible without explicit attribute manipulation.

rule Timestomp_SI_FN_Delta
{
  meta:
    severity     = "medium"
    category     = "anti-forensics"
    confidence   = 0.97

  inputs:
    record := mft_record(file)

  match:
    si := record.attribute(0x10)   // $STANDARD_INFORMATION
    fn := record.attribute(0x30)   // $FILE_NAME

    // Timestomp signal A: $SI predates $FN
    si.created_time      <  fn.created_time      or
    si.modified_time     <  fn.created_time - 1s or
    si.entry_modified    <  fn.entry_modified    or

    // Timestomp signal B: subsecond zeros
    // Win32 SetFileTime takes FILETIME (100-ns granularity), but the
    // operator-grade tools we observed all pass times truncated to
    // whole seconds — leaving the low 7 digits as zeros. NTFS itself
    // never writes whole-second timestamps for normal file activity.
    (si.modified_time.subsecond == 0 and
     si.created_time.subsecond  == 0 and
     si.accessed_time.subsecond == 0)

  emit:
    artifact {
      mft_record   = record.id
      file_name    = fn.name
      si_created   = si.created_time
      fn_created   = fn.created_time
      delta_sec    = (fn.created_time - si.created_time).seconds
      signal       = (signal_a ? "si_fn_delta" : "subsecond_zero")
    }
}

Signal A (the chronological delta) catches the textbook timestomp use of SetFileTime with backdated timestamps. Signal B (the subsecond-zero pattern) catches the more careful operators who set $SI to plausible recent times but pass them at whole-second granularity. NTFS's own write path produces timestamps with non-zero subsecond components essentially always; whole-second triples are the tooling artifact.

The 312-sample corpus included loaders, executors, and cleaner binaries from twelve distinct cheat families across FiveM, Rust, and CSGO ecosystems. Every sample triggered at least one of the two signals; 87% triggered both.

The two false-positive classes we observed in clean corpora:

• Files copied via SMB / robocopy with /COPY:DAT. Robocopy and similar tools deliberately preserve original $SI timestamps, which can produce a $SI < $FN delta that mimics signal A. These are easily allowlisted by parent-directory and signing-chain heuristics.
• Microsoft installer-extracted files. MSI extraction occasionally produces whole-second $SI timestamps. Suppressed by whitelisting Microsoft-signed installers and their typical extraction roots.

Neither false-positive class overlaps with the cheat-loader corpus. Both can be suppressed without weakening the rule against the actual timestomp-tool population.