It is not a surprise that anti-forensic techniques are being used by malware writers to increase the examiner’s time. Few weeks ago I was analyzing malware for the customer (the malware has been identified by VirusTotal as Zbot-Trojan). I noticed quite interesting behavior of the malicious code.
The malware self-modify file attributes - MAC times of file which contain malicious code are modified during installation & execution (system startup). This is an example of anti forensic method which makes the creation of Timeline Activity less valuable.
Trojan is using GetFileTIme() and SetFileTime() API which are exported by kernel32.dll. MAC times of malware executable file are set to MAC times of an operating system library – ntdll.dll file.