Touch on Windows via PowerShell

A forensic investigator recently inquired about a touch equivalent for the Windows environment. If you don't know touch is a command in the *nix environment that allows you to modify file timestamps arbitrarily.

My first thought was that maybe wmic could accomplish the task. Turns out wmic can only read timestamps, not set them.

More digging revealed that Microsoft's PowerShell could be used to modify file timestamps.

Below is the nitty and the gritty.

From within powershell:

$(Get-Item ).creationtime=$(Get-Date "mm/dd/yyyy hh:mm am/pm")
$(Get-Item ).lastaccesstime=$(Get-Date "mm/dd/yyyy hh:mm am/pm")
$(Get-Item ).lastwritetime=$(Get-Date "mm/dd/yyyy hh:mm am/pm")

There are also utc timestamp attributes (CreationTimeUtc, etc.). I
haven't touched (no pun intended) those.

Here's a sample run from my PowerShell prompt (PS>):

PS > date

Thursday, August 14, 2008 9:38:47 am

PS> echo > test.txt

PS> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 8/14/2008 9:38 AM 0 test.txt

PS>$(get-item test.txt).lastwritetime=$(get-date "08/31/2012")

PS>dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 8/31/2012 12:00 AM 0 test.txt


You can use these commands to change timestamps such that their
CreationTime is later than their other timestamps.

Fun stuff.