FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • Overview of MFT
  • MFT Parsing
  • Investigating File Timestomping
  1. Practical Windows Forensics

Overview of disk structures, partitions and file systems

PreviousUser Behavior NextFinding Evidence of Deleted Files with USN Journal Analysis

Last updated 5 months ago

Overview of MFT

The $MFT (Master File Table) is a core component of the NTFS used by Windows. It is essentially a database that contains metadata about every file and directory on the volume.

File Metadata Storage: Each file and directory has an entry in the $MFT, which stores:

  • File name

  • File size

  • Creation, modification, and access timestamps

  • File permissions

  • Location of data on the disk

Special File: The $MFT itself is a hidden system file and is critical for NTFS operations.

Structure:

  • It is divided into fixed-size records (typically 1 KB or 4 KB).

  • Each record represents a file, directory, or other filesystem object.

Self-Referencing: The first entry in the $MFT points to itself, providing a reference for the file system.

Forensic Relevance:

  • It can help reconstruct file system activity, including deleted files, as $MFT entries often persist after deletion.

  • Timestamps in the $MFT can be crucial for building activity timelines.

The MFT file record structure contains key components for NTFS files:

  1. Record Header: Basic details about the record (e.g., status and offsets).

  2. $STD_INFO: File metadata like timestamps and permissions.

  3. $FILE_NAME: File or directory name details.

  4. $DATA: Actual file content or a reference to its location on disk.

This structure helps track and manage files in NTFS, crucial for forensics.

Let's start by checking the details of MFT record:

MFTECmd.exe -f C:\Cases\E\$MFT --de 0

MFT Parsing

MFTECmd.exe -f C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS --csvf MFT.csv

Let's the MFT.csv file in Timeline Explorer.

Q1) Which files are located in \PWF-main\PWF-main\AtomicRedTeam ?

Q2) What is the MFT entry number for the file "ART-attack.ps1" ?

We can use this Entry Number to see the metadata of the ART-attack.ps1 file.

MFTECmd.exe -f C:\Cases\E\$MFT --de 6741

Q3) What is the MACB timestamps for "ART-attack.ps1" ?

MACB stands for (Modified, Accessed, Changes, Birth)

  • Modified: 2024-02-29 05:33:58.0000000

  • Accessed: 2024-12-12 12:26:05.5286821

  • Changes ($MFT): 2024-12-12 07:47:34.0147678

  • Birth (Creation): 2024-12-12 07:47:34.0147678

The ART-attack.ps1 file was extracted from a zip archive, meaning its modified and creation times were inherited from the original file. The MFT record reflects the moment the file first appeared on the system, while the accessed time indicates when the script was executed.

Investigating File Timestomping

Timestomping modifies one or more timestamps (Created, Modified, Accessed, or Record Modified) to mislead investigators or hide malicious activity. In NTFS, there are two sets of timestamps to analyze:

  • $STANDARD_INFORMATION timestamps.

  • $FILE_NAME timestamps.

These two sets of timestamps are expected to match under normal conditions. If they do not match, the file may have been timestomped.

Q4) Was "ART-attack.ps1" timestomped ?

The Modified On timestamp in $STANDARD_INFO is 2024-02-29, which is earlier than the file's Created On timestamp (2024-12-12), recorded in both $STANDARD_INFO and $FILE_NAME.

  • This is highly unusual and not typical behavior for files created or extracted from an archive.

The $FILE_NAME Modified On timestamp aligns with the Created On timestamp (2024-12-12), indicating consistency.

While the timestamps suggest timestomping, it doesn't necessarily mean this is definitive due to the context of the file being extracted from a ZIP archive.

When a file is extracted from an archive (like a ZIP file), the following happens:

  1. Created On: This usually reflects the time of extraction since the file is "created" on the system at that point.

  2. Modified On: This could reflect the original modification time stored in the ZIP archive if the ZIP preserved it.

  3. Accessed On: Typically reflects the extraction time since the file was accessed during the extraction process.

In This Case

  1. $STANDARD_INFO Modified On: 2024-02-29

    • This appears earlier than the "Created On" timestamp (2024-12-12), which looks odd but could happen if the ZIP file preserved the original modification date.

  2. $FILE_NAME Modified On: 2024-12-12

    • This aligns with the extraction time, suggesting $FILE_NAME timestamps reflect the true local activity.

  3. Discrepancy: The inconsistency between $STANDARD_INFO and $FILE_NAME could indicate timestomping or simply the extraction behavior of the ZIP archive.