BGINFO - A Posh Recreation
Recently I have been building a lot of Windows Servers in different environments - one
Grumpy Admin is a typical administrator, sometimes something goes wrong and well you need to hide your tracks against a casual manager finding an unauthorised and useful utility on your system such as putty.exe. Computers don’t lie do they! So if the file was downloaded and last accessed on a day when you were “out of the office“. We are cleared of any wrong doings right?
We all know that file/date time stamps are not valid as actual evidence in court and investigations, they are very easy to manipulate as we will demonstrate here in a moment, nearly as easy to manipulate as managers and other important people who pay your wages… After all the computer never lies right? If the file says it was made in 1975 prior to your birth and the birth of all the hardware and software and the file format. Then it must of been created in 1975 right?
So basically bottom line, I might have opened a file I should not have opened and want to cover my tacks, to the casual manager level investigation.The attributes I want to modify/fake/adjust are the Created: Modified: Accessed: times of a file. As you can guess, Grumpy Admin wants to do this via Powershell.
So the first thing we need to do is create our basic function – I am going to make it can handle some arguments – IE I want you to type time-warp <filename> <newdate/time>. So here is the skeleton function :
Function Time-Warp {
Param ([string[]]$file,[datetime]$newdate)
}
Simple so let’s just walk through this code, the Param defines the arguments that time-warp needs. By type casting them at this stage, I save converting later and it should just error out if someone doesn’t the data entry right! – Me being me, and being a lazy type of person, I am not going to put any error checking or user input validation. This is quick and dirty hack to cover my tracks!
So we now know what file we want to modify the timestamp on and we know what date/time we want to set it – Now to action!!! The next bit of code gets the file as an object – The best way I think is to use the GCI or Get-ChildItem cmdlet.
So we add the line
Get-ChildItem -Path $file
We got the file as an object now what, well we need a method of accessing the properties of this object – For this we can do a ForEach-Object loop. So we need the pipe char | and our ForEach-Object function. I also want it to write-host the old date and set the date and write-host the new date :-
So we can write some code like this :-
write-host “Old Creation Time/Date” $_.CreationTime
write-host “Old LastAccess Time/Date” $_.LastAccessTime
write-host “Old LastWriteTime Time/Date” $_.LastWriteTime$_.CreationTime = $newdate
$_.LastAccessTime = $newdate
$_.LastWriteTime = $newdate }write-host “New Creation Time/Date” $newdate
write-host “New LastAccess Time/Date” $newdate
write-host “New LastWriteTime Time/Date” $newdate
And this will do the trick – we can now Time-Warp any file to any date we want, useful maybe… Grumpy Admin doesn’t like P45’s or jail time!
So that completes the code for the Time-Warp function :-
Function time-warp
{Param ([string[]]$file,[datetime]$newdate )
Get-ChildItem -Path $file |ForEach-Object {
write-host “Old Creation Time/Date” $_.CreationTime
write-host “Old LastAccess Time/Date” $_.LastAccessTime
write-host “Old LastWriteTime Time/Date” $_.LastWriteTime
$_.CreationTime = $newdate
$_.LastAccessTime = $newdate
$_.LastWriteTime = $newdate }
write-host “New Creation Time/Date” $newdate
write-host “New LastAccess Time/Date” $newdate
write-host “New LastWriteTime Time/Date” $newdate
}
I am sure you and other people can do something better with this and write better code than me, you could perhaps add offsets and random add/subtract dates to the timedate value. Now some screenshots just to prove it works 🙂
Have a good day and lets hope you never need to do this… At the very least you have seen how to access the Create/Modified/Accessed properties of a file. That could be useful if you are doing a backup script or something like that maybe?
Hazzy