Question:
What is the original modification time by the kernel of the document
"New Text Document.txt"? Format: YYYY-MM-DD HH:MM:SS.SSSSSS
Hint:
It appears this file has been time-stomped. AnalyzeMFT may be able to
help.
Answer:
2018-02-24 21:15:35:512585
Challenge
6 provided an E01 file to examine. You will need to download a
forensic tool like FTK of Autospy to view the data. I will be using
FTK for this demonstration. For this challenge, we want to know the
original modification time by the Windows kernel for the file “New
Text Document.txt”. Note the language used in this question. We
want to know the modification timestamps provided to file by the
kernel, not by the user. This challenge is more advanced, and expects
some knowledge of Windows timestamps and NTFS forensics.
When
we first open our E01 file we find that the text document is empty
and its timestamps are from January 1st,
1601. Either the timestamps have been manipulated, or I am a time
traveler. The timestamps have been set all the way back to the start
of the Gregorian calendar, which is the point in time where Windows
counts forward from.
This
file was altered with a tool called timestomp, which exists as a
metasploit module or as a standalone Windows executable. Timestomp
can alter all 4 timestamps in user-space. These 4 different
timestamps are collectively referred to as MACE
- Modified,
Accessed,
Created,
and Entry modified. Timestomp can not however edit timestamps given by the
Windows kernel (which should be identical to their user-space counter
parts). Ok, now that we know this, now what? Well we will only see
userspace timestamps by examining the file in Explorer and even FTK
is fooled. “I’m a Noob, I have no idea what I’m doing”. This
is why the hint is more of an instruction than a hint.
All
of the files starting with dollar signs are NTFS artifacts. The one
we are interested in is $MFT, the NTFS Master File Table. As our hint
stated, AnalyzeMFT may be able to help. AnalyzeMFT is a Python
program for parsing the $MFT. You can download AnalyzeMFT from https://github.com/dkovar/analyzeMFT
or install it using the pip package manager. Now the $MFT file must
be exported from FTK. You can do this by right-clicking and selecting
export.
Since
$MFT is a hidden system file, you won’t be able to see it
initially. From the directory you exported $MFT to, open a command
prompt and use the command:
attrib
-s -h $MFT
This
alters the attributes of the file to make it visible to us. Now we
will use AnalyzeMFT to export the data to a .csv file in an
Excel-friendly format:
analyzeMFT.py
-f $MFT -o MFT.csv -e
Once
exported we will have a MFT.csv file that we can easily examine.
Looking at “New Text Document.txt”, there are 8 timestamps
associated with it. The first 4 are the $SI (Standard Information
attribute) timestamps. These timestamps are modifiable in user-space.
The following 4 timestamps are the $FN (File Name attribute)
timestamps. These timestamps are given by the Windows Kernel and can
not be edited by timestomp.
The
$SI MACE timestamps associated with “New Text Document.txt”
display as an invalid timestamp. In blue I have highlighted the $FN
modification timestamp, which is our answer, 2018-02-24
21:15:35:512585.
For
someone who is unfamiliar with NTFS forensics, this can seem pretty
overwhelming. These resources can help you learn more:
NTFS
Basics: http://www.ntfs.com/ntfs_basics.htm
Timestomping
NTFS:
https://www.os3.nl/_media/2013-2014/courses/rp2/p48_presentation.pdf
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
No comments:
Post a Comment