DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Windows Forensics

Timestamp in NTFS System

3/23/2018

 

Timestamp is extremely important in forensic investigation
- Created (Birthdate): File volume creation date/time
- Accessed: Last time File Data was  Opened
- Modified: Last Time file Data was Changed
- Changed (Change in Metadata): Master file table entry was changed or changes in file attribute.

You can remember it as B-MAC
NTFS stores Time in UTC while FAT store time in  Local Time.

Picture

Windows Timestamp file is located in $MFT (located in Root of NTFS) 
$MFT Keep Tracks of all files along with Metadata.
$Standard_Information($SI)
​$FILE_NAME($FI)

Things to do when you suspect if the file timestamp is modified:
  • Compare $SI and $FI because majority of anti-forensics tool can only modify $SI file.
  • Another cool place is to check the /windows/Prefetch - Looks for Antiforenics tools like TimeStoms and parse the file to get more information.
  • $FI File is only modifiable by windows kernal (Consider it as a source of truth)
  • Utilized AnalyzeMFT for investigation.

Picture
The above image is taken from Cyber Forensicator website. Please click on image to read the whole article.

Resources:
https://www.defcon.org/images/defcon-19/dc-19-presentations/Lenik/DEFCON-19-Lenik-MAC(b)Daddy.pdf

​https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
​
http://cyberforensicator.com/2018/03/25/windows-10-time-rules/

Comments are closed.

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity