AF-2DFB-D3 · Disk
The Time Lie
Timestomping ($SI vs $FN discrepancy) + cleared event log + steganography in an image.
Scenario
The suspect manipulated file timestamps and cleared the event log to hide the time of the event. Reconstruct the true timeline, extract the hidden message from the image, and prove the timestomp. A forged log entry points to the wrong user.
Anti-forensics techniques
- Timestomping (MAC time manipulation)
- Event log clearing (1102)
- Steganography (text hidden in an image)
- Forged log injection
Provided artifacts
- Disk image (E01) + Security.evtx
Sample questions
- Which file is timestomped? Give the $SI and $FN times.
- What is the true time of the event (UTC)?
- Extract the message embedded in the image.
Soundness trap
Naming the user from the forged log entry as the culprit is the trap; cross-evidence refutes it.
Scoring
Timeline accuracy + stego + forged-log resistance.
Artifact coming soon. The downloadable artifact for this case is generated by our instrumented-VM pipeline and released with the F0 pilot.