Overview of disk structures, partitions and file systems
Last updated
Last updated
The $MFT (Master File Table) is a core component of the NTFS used by Windows. It is essentially a database that contains metadata about every file and directory on the volume.
File Metadata Storage: Each file and directory has an entry in the $MFT, which stores:
File name
File size
Creation, modification, and access timestamps
File permissions
Location of data on the disk
Special File: The $MFT itself is a hidden system file and is critical for NTFS operations.
Structure:
It is divided into fixed-size records (typically 1 KB or 4 KB).
Each record represents a file, directory, or other filesystem object.
Self-Referencing: The first entry in the $MFT points to itself, providing a reference for the file system.
Forensic Relevance:
It can help reconstruct file system activity, including deleted files, as $MFT entries often persist after deletion.
Timestamps in the $MFT can be crucial for building activity timelines.
The MFT file record structure contains key components for NTFS files:
Record Header: Basic details about the record (e.g., status and offsets).
$STD_INFO: File metadata like timestamps and permissions.
$FILE_NAME: File or directory name details.
$DATA: Actual file content or a reference to its location on disk.
This structure helps track and manage files in NTFS, crucial for forensics.
Let's start by checking the details of MFT record:
Let's the MFT.csv file in Timeline Explorer.
Q1) Which files are located in \PWF-main\PWF-main\AtomicRedTeam ?
Q2) What is the MFT entry number for the file "ART-attack.ps1" ?
We can use this Entry Number to see the metadata of the ART-attack.ps1 file.
Q3) What is the MACB timestamps for "ART-attack.ps1" ?
MACB stands for (Modified, Accessed, Changes, Birth)
Modified: 2024-02-29 05:33:58.0000000
Accessed: 2024-12-12 12:26:05.5286821
Changes ($MFT): 2024-12-12 07:47:34.0147678
Birth (Creation): 2024-12-12 07:47:34.0147678
The ART-attack.ps1 file was extracted from a zip archive, meaning its modified and creation times were inherited from the original file. The MFT record reflects the moment the file first appeared on the system, while the accessed time indicates when the script was executed.
Timestomping modifies one or more timestamps (Created, Modified, Accessed, or Record Modified) to mislead investigators or hide malicious activity. In NTFS, there are two sets of timestamps to analyze:
$STANDARD_INFORMATION timestamps.
$FILE_NAME timestamps.
These two sets of timestamps are expected to match under normal conditions. If they do not match, the file may have been timestomped.
Q4) Was "ART-attack.ps1" timestomped ?
The Modified On
timestamp in $STANDARD_INFO is 2024-02-29
, which is earlier than the file's Created On timestamp (2024-12-12
), recorded in both $STANDARD_INFO
and $FILE_NAME
.
This is highly unusual and not typical behavior for files created or extracted from an archive.
The $FILE_NAME Modified On timestamp aligns with the Created On timestamp (2024-12-12
), indicating consistency.
While the timestamps suggest timestomping, it doesn't necessarily mean this is definitive due to the context of the file being extracted from a ZIP archive.
When a file is extracted from an archive (like a ZIP file), the following happens:
Created On: This usually reflects the time of extraction since the file is "created" on the system at that point.
Modified On: This could reflect the original modification time stored in the ZIP archive if the ZIP preserved it.
Accessed On: Typically reflects the extraction time since the file was accessed during the extraction process.
$STANDARD_INFO Modified On: 2024-02-29
This appears earlier than the "Created On" timestamp (2024-12-12
), which looks odd but could happen if the ZIP file preserved the original modification date.
$FILE_NAME Modified On: 2024-12-12
This aligns with the extraction time, suggesting $FILE_NAME
timestamps reflect the true local activity.
Discrepancy: The inconsistency between $STANDARD_INFO
and $FILE_NAME
could indicate timestomping or simply the extraction behavior of the ZIP archive.