http://gnuwin32.sourceforge.net/packages/coreutils.htm
At that page, you'll find win32 ports of common *nix utilities.
touch.exe will change the modified, accessed, and created times, but
not the mft-entry-modifed time.
http://www.foryoursoft.com/ftedit2.htm
http://www.attributemagic.com/ or it's watered down free version
http://www.attributemagic.com/attributemagic_free.html (which is my
favorite because they actually use 'contradistinction' in a sentence
with a straight face)
http://www.fileedge.com/get/change-attributes/ (a list of a bunch of
utilities that do this)
These are just a few of the dozens that google found that most all
include a pretty GUI, but again, only changes 3 of the 4 time stamps.
Which, really is an issue since the entry-modified timestamp will get
updated to the time that the timstamp changing utility was used to
change the other times - kind of a giveaway that something isn't right
when you look at the timeline in your forensics utils.
So...
The *only* one I've seen that can change that 4th time, and the one
that I would recommend above any of the others is 'timestomp':
http://metasploit.com/projects/antiforensics/
http://metasploit.com/projects/antiforensics/timestomp.exe
As a side note: Another issue you'll run into with changing the
timestamps in NTFS is the *other* set timestamps... the timestamps
that you see are stored in the file's $standard_information attribute,
but there is another set in each of the $file_name attribute(s) and
another in that file's entry in the directory listing - and they quite
often don't match since the $si attribute is the only one that gets
updated regularly. But, if the $si attribute's timestamps are before
the $fn's timestamps, you know something has been fiddled with. But,
since you have to go out of your way to see the $fn's set of
timestamps, you would have to really want to dig to even notice.
cheers
