# Overview of disk structures, partitions and file systems
## Overview of MFT
The **$MFT (Master File Table)** is a core component of the **NTFS** used by Windows. It is essentially a database that contains metadata about every file and directory on the volume.
**File Metadata Storage**: Each file and directory has an entry in the $MFT, which stores:
* File name
* File size
* Creation, modification, and access timestamps
* File permissions
* Location of data on the disk
**Special File**: The $MFT itself is a hidden system file and is critical for NTFS operations.
**Structure**:
* It is divided into fixed-size records (typically 1 KB or 4 KB).
* Each record represents a file, directory, or other filesystem object.
**Self-Referencing**: The first entry in the $MFT points to itself, providing a reference for the file system.
**Forensic Relevance**:
* It can help reconstruct file system activity, including deleted files, as $MFT entries often persist after deletion.
* Timestamps in the $MFT can be crucial for building activity timelines.
The **MFT file record structure** contains key components for NTFS files:
1. **Record Header**: Basic details about the record (e.g., status and offsets).
2. **$STD\_INFO**: File metadata like timestamps and permissions.
3. **$FILE\_NAME**: File or directory name details.
4. **$DATA**: Actual file content or a reference to its location on disk.
This structure helps track and manage files in NTFS, crucial for forensics.
Let's start by checking the details of MFT record:
```bash
MFTECmd.exe -f C:\Cases\E\$MFT --de 0
```
## MFT Parsing
```bash
MFTECmd.exe -f C:\Cases\E\$MFT --csv C:\Cases\Analysis\NTFS --csvf MFT.csv
```
Let's the **MFT.csv** file in Timeline Explorer.
Q1) Which files are located in \PWF-main\PWF-main\AtomicRedTeam ?
Q2) What is the MFT entry number for the file "ART-attack.ps1" ?
We can use this Entry Number to see the metadata of the ART-attack.ps1 file.
```bash
MFTECmd.exe -f C:\Cases\E\$MFT --de 6741
```
Q3) What is the MACB timestamps for "ART-attack.ps1" ?
MACB stands for (Modified, Accessed, Changes, Birth)
* **Modified**: 2024-02-29 05:33:58.0000000
* **Accessed:** 2024-12-12 12:26:05.5286821
* **Changes ($MFT):** 2024-12-12 07:47:34.0147678
* **Birth (Creation):** 2024-12-12 07:47:34.0147678
The **ART-attack.ps1** file was extracted from a zip archive, meaning its modified and creation times were inherited from the original file. The MFT record reflects the moment the file first appeared on the system, while the accessed time indicates when the script was executed.
## Investigating File Timestomping
Timestomping modifies one or more timestamps (Created, Modified, Accessed, or Record Modified) to mislead investigators or hide malicious activity.\
In NTFS, there are two sets of timestamps to analyze:
* **$STANDARD\_INFORMATION** timestamps.
* **$FILE\_NAME** timestamps.
These two sets of timestamps are expected to match under normal conditions. If they **do not match**, the file may have been timestomped.
Q4) Was "ART-attack.ps1" timestomped ?
The **`Modified On`** timestamp in **$STANDARD\_INFO** is `2024-02-29`, which is **earlier** than the file's **Created On** timestamp (`2024-12-12`), recorded in both `$STANDARD_INFO` and `$FILE_NAME`.
* This is highly unusual and **not typical** behavior for files created or extracted from an archive.
The **$FILE\_NAME Modified On** timestamp aligns with the **Created On** timestamp (`2024-12-12`), indicating consistency.
While the timestamps suggest **timestomping**, it doesn't necessarily mean this is definitive due to the context of the file being extracted from a ZIP archive.
When a file is extracted from an archive (like a ZIP file), the following happens:
1. **Created On**: This usually reflects the time of extraction since the file is "created" on the system at that point.
2. **Modified On**: This could reflect the original modification time stored in the ZIP archive if the ZIP preserved it.
3. **Accessed On**: Typically reflects the extraction time since the file was accessed during the extraction process.
#### **In This Case**
1. **$STANDARD\_INFO Modified On**: `2024-02-29`
* This appears earlier than the "Created On" timestamp (`2024-12-12`), which looks odd but could happen if the ZIP file preserved the original modification date.
2. **$FILE\_NAME Modified On**: `2024-12-12`
* This aligns with the extraction time, suggesting `$FILE_NAME` timestamps reflect the true local activity.
3. **Discrepancy**: The inconsistency between `$STANDARD_INFO` and `$FILE_NAME` could indicate timestomping **or** simply the extraction behavior of the ZIP archive.
.png?alt=media&token=6560b98a-bba3-4952-997d-db93cc1c2a80)
.png?alt=media&token=96c5c4a3-0d19-42a6-bb7a-e61ad2eaac08)
.png?alt=media&token=c14676b4-2490-484e-a080-1aecdf85a23b)
.png?alt=media&token=f9f01205-9dac-4174-9c06-4e3defe896ce)
.png?alt=media&token=fe2427af-3bb5-4804-9471-d731c5f8527d)
.png?alt=media&token=eb92bd35-b335-40ec-93b9-a457368cf02c)
.png?alt=media&token=9e3f3525-4136-4e55-8150-ba4c400162eb)
.png?alt=media&token=01b8b22f-fdcc-4256-aec9-c683d6b14de8)
.png?alt=media&token=ded159e9-bfe2-4f2d-a7dd-3b2871acc94d)
.png?alt=media&token=42903adb-a56c-497b-8151-eb76f474d545)