How Post-Launch Mod Swapping Works
A player launches Minecraft with a completely clean mods folder. Staff see nothing suspicious. The player then — while the game is still running — drops a cheat JAR into the mods folder. Depending on the mod loader version and configuration, the game may pick it up immediately or on the next world load. Even without live reloading, the technique is useful: the player reconnects after placing the cheat post-launch.
The Timestamp Solution
Every file on a filesystem has a last-write timestamp — the exact date and time it was last modified or created. Audit AC compares this timestamp against the Minecraft process start time (read from the process table) for every .jar in the mods folder. If any mod's last-write timestamp is after the game launched, it's flagged. Audit AC also checks whether the mods folder itself was modified post-launch to catch bulk replacement scenarios.
What the Report Shows
The dashboard shows the game start time alongside every mod that was written or modified after that point. Even if the player deletes the injected files before you review the report, the mods folder modification timestamp itself may still be newer than the game start time.
⚠ Mods folder modified post-launch
Game started at: 14:32:07
Flagged mods:
→ vape-v4.23.jar (written at 14:45:22)
→ injector.jar (written at 14:47:01)Limitations
If the player's system clock is deliberately manipulated, timestamps can be spoofed — though clock manipulation is itself detectable through other means. Some legitimate mod managers also update files at startup. A single timestamp flag from a known updatable mod is lower confidence than an unknown JAR with a post-launch timestamp. Best practice: treat timestamp hits as high confidence when the flagged mod is unknown, multiple files were written at nearly the same time after launch, or the flagged file has since been deleted.