Welcome to the Metasploit Anti-Forensics Project. This project, created by Vinnie Liu, and maintained by the community, seeks to develop tools and techniques for removing forensic evidence from computer systems. This project includes a number of tools, including Timestomp, Slacker, and SAM Juicer, many of which have been integrated in the Metasploit Framework.

03/27/2007 - Metasploit 3.0 has been released and includes full support for Timestomp and SAM Juicer through the "priv" extension to the Meterpreter payload.

12/7/2005 - Release of SAM Juicer. You can either download it and manually install it or run msfupdate (the easier option).

10/2/2005 - Updated site with the latest versions of Timestomp and Slacker. Please play around with it and let me know if you all have any suggestions or comments. Also working with HD to get SAM Juicer finalized and integrated into Metasploit Framework 2.5.

8/17/2005 - I previously uploaded the wrong version of slacker.exe, so I uploaded the correct (functional) copy. Thanks to g4m3cub3 for pointing this out. This version also supports random XOR obfuscation of the data being hidden in slack space.

8/14/2005 - Updated Timestomp with the recursive blanking option, so now you can blank entire drives at once. It doesn't work on directories, but that's not the point ;-) Also discovered that the low time values will cause Windows Explorer to get confused as well.

May 3-6, 2006 - Presented Defeating Forensic Analysis at the Computer and Enterprise Investigations Conference 2006

April 3-5, 2006 - Presented Bleeding-Edge Anti-Forensics at InfoSecWorld 2006

October 13-14, 2005 - Presented The Metasploit Anti-Forensics Project v2 at Microsoft BlueHat

September 16-18, 2005 - Presented The Metasploit Anti-Forensics Project at Toorcon 7

July 27-28, 2005 - Presented Catch Me If You Can at BlackHat 2005

Timestomp - First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.

Slacker - First ever tool that allows you to hide files within the slack space of the NTFS file system.

Sam Juicer - A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk.

Questions, comments, suggestions? E-mail msfdev[at]metasploit.com.