THE DFIR BLOG
Menu

Windows Forensics

Timestamp in NTFS System

3/23/2018

 

Timestamp is extremely important in forensic investigation
- Created (Birthdate): File volume creation date/time
- Accessed: Last time File Data was  Opened
- Modified: Last Time file Data was Changed
- Changed (Change in Metadata): Master file table entry was changed or changes in file attribute.

You can remember it as B-MAC
NTFS stores Time in UTC while FAT store time in  Local Time.

Picture

Windows Timestamp file is located in $MFT (located in Root of NTFS) 
$MFT Keep Tracks of all files along with Metadata.
$Standard_Information($SI)
​$FILE_NAME($FI)

Things to do when you suspect if the file timestamp is modified:
  • Compare $SI and $FI because majority of anti-forensics tool can only modify $SI file.
  • Another cool place is to check the /windows/Prefetch - Looks for Antiforenics tools like TimeStoms and parse the file to get more information.
  • $FI File is only modifiable by windows kernal (Consider it as a source of truth)
  • Utilized AnalyzeMFT for investigation.

Picture
The above image is taken from Cyber Forensicator website. Please click on image to read the whole article.

Resources:
https://www.defcon.org/images/defcon-19/dc-19-presentations/Lenik/DEFCON-19-Lenik-MAC(b)Daddy.pdf

​https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
​
http://cyberforensicator.com/2018/03/25/windows-10-time-rules/

Windows Forensics Basics

3/3/2018

 
Windows Forensics:
Cache Memory and History Analysis:
IE:
  • Content.IE5 Files – Temporary internet files
  • AppData Folders – Contain Cookies
  • History Folder
IE Cookies View Tool – for Analysis
Firefox:
Md5 Hash
  • 32 digit -128 bit Message digest
  • Non collision resistant
  • Checks the integrity of the tool
Recycle Bin:
  • File is deleted – Sub Directory is created
  • Recycler
  • Remember Convention for Recycler <Drive Name – Hash>
  • Info2 contains the records related to the data.
Restore Points:
  • RP.Log filename
Change.log.x files
  • Format: Axxxxx.ext
  • X is sequence number and ext is extension of the file.
Prefetch:
  • Prefetch files leaves traces and can collect data from it.
Shortcut Files
  • Use .lnk files
File Signature Analysis:
  • Collect information from first 20 bytes of a file
  • Mac Time Stamp: Modification, Access and Change time. Managed by OS  in UTC Format
Static Analysis
  • You’ll not open the file- Just open it in some application and review the data.
Dynamic Analysis:
  • You'll execute the file in order to analyze it.
  • Create a Test Environment and Process of Testing malware
Meta Data investigation:
  • Data about data
  • Descriptive Metadata
  • Structural Metadata
Windows Events:
  • Logs Day to day  Events
  • Event log maintains this data.
  • Command – wevtutil
  • Events files are databases- related to System, Security and Application
  • Storage location: SysEvent.evt
Popular event ID:
  • Event ID 4902 – Modification of Audit Policy
ISS Log:
  • Exyymmdd.log
  • Ex refers to extended format
DHCP Server Logs:
  • Format
Firewall Logs:
                Pfirewall.log
Windows Password:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
  • Password is stored in HASH format
LMNAM –it’s outdates
NTLM V2 is the latest version used by windows:
Sigverif:  Shows unsigned drivers
  • CurrPorts – Similar to NetStat -a

 
 
​
Forward>>

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me
  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me