Created
January 26, 2026 17:58
-
-
Save justaguywhocodes/32b6e980c9778d47f53c72dee4a29c44 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Step-by-Step Commands | |
| Install the PowerForensics Module (if not installed): | |
| powershell | |
| Copy | |
| Install-Module -Name PowerForensics -Force -Confirm:$false -Scope CurrentUser | |
| Create a Test File (e.g., C:\test\malicious.txt): | |
| powershell | |
| Copy | |
| New-Item -Path "C:\test\malicious.txt" -ItemType File -Force | |
| Define a Fake Timestamp (e.g., January 1, 2020, at 12:00 AM): | |
| powers | |
| Copy | |
| $fakeTime = Get-Date "2020-01-01 00:00:00" | |
| Modify Both $SI and $FN Attributes: | |
| powershell | |
| Copy | |
| Set-ForensicFileRecord -Path "C:\test\malicious.txt" -Created $fakeTime -Modified $fakeTime -Accessed $fakeTime -MftModified $fakeTime | |
| Verification | |
| Check the timestamps to confirm both attributes were updated: | |
| powers | |
| Copy | |
| Get-ForensicFileRecord -Path "C:\test\malicious.txt" | | |
| Select-Object -ExpandProperty Attributes | | |
| Where-Object { $_.Name -eq "StandardInformation" -or $_.Name -eq "FileName" } | | |
| Format-List Name, CreatedTime, ModifiedTime, AccessedTime, MftModifiedTime | |
| Output should show identical timestamps for both StandardInformation and FileName. | |
| Notes | |
| Requirements: | |
| Run PowerShell as Administrator. | |
| The PowerForensics module writes directly to the NTFS disk, bypassing Windows APIs. | |
| Test in a safe environment (e.g., VM or isolated system). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment