# Antiforensics

### 𝐋𝐍𝐊 𝐄𝐱𝐞𝐜𝐮𝐭𝐢𝐨𝐧 𝐓𝐢𝐦𝐞𝐬𝐭𝐚𝐦𝐩 𝐒𝐩𝐨𝐨𝐟𝐢𝐧𝐠 𝐯𝐢𝐚 𝐅𝐢𝐥𝐞𝐧𝐚𝐦𝐞 𝐂𝐨𝐥𝐥𝐢𝐬𝐢𝐨𝐧

I made two different files: Husam.exe, and Husam.exe in different paths (or instead you can make two MalDoc files with the same name in two paths).

The first Husam.exe is the real malware, while the second Husam.exe is just a benign compiled executable printing "Hello World!" statement.

So, after running both executables, what do you think has happened?!

1. Two LNK files were generated for Husam.exe and Husam (1).exe
2. Only one LNK file of Husam.exe was generated.

Choose one. ☺️

Ok, the right answer may be suprising, but it is 2.

Only one LNK file was generated for Husam.exe

Ok, then guess what I did..

I run first Husam.exe (real malware) and waited a few minutes then run the benign executable..

The LNK file of Husam.exe timestamp was referring to the most recent execution of the benign instance of Husam.exe instead of the first one.

I believe, we can do further research that, but we can use it to spoof the execution timestamp of the real malware producted by LNK files.

So, basically it is anti-forensic timestamp manipulation of LNK artifacts, and I call it: 𝐋𝐍𝐊 𝐄𝐱𝐞𝐜𝐮𝐭𝐢𝐨𝐧 𝐓𝐢𝐦𝐞𝐬𝐭𝐚𝐦𝐩 𝐒𝐩𝐨𝐨𝐟𝐢𝐧𝐠 𝐯𝐢𝐚 𝐅𝐢𝐥𝐞𝐧𝐚𝐦𝐞 𝐂𝐨𝐥𝐥𝐢𝐬𝐢𝐨𝐧