Introductions
The NTFS (New Technology File System) is equipped with a feature known as filesystem journaling, which plays a vital role in maintaining the integrity of the filesystem. This technology keeps a transactional record of all changes made to a volume, ensuring that in the event of a system crash or power failure, the filesystem can roll back changes or resume operations seamlessly.
Master File Table ($MFT):
The MFT is a database that stores information about every file and directory on an NTFS volume. It's essentially a metadata repository, containing records for each file, including its attributes and metadata.
Key Points:
File System Metadata: The MFT stores metadata about files and directories, including their names, locations, security descriptors, timestamps, and other attributes.
File Allocation: NTFS reserves a portion of the disk space for the MFT during volume formatting. As files and directories are created, they are assigned entries within the MFT.
Indexed Structure: The MFT is organized as a table with fixed-size entries, each representing a file or directory. These entries contain various attributes that describe the characteristics of the corresponding file or directory.
Unique Identifier: Each file and directory entry in the MFT is assigned a unique identification number known as the MFT Record Number (also referred to as the Inode Number).
Special Files: Certain system files and metadata, including the MFT itself, are stored within the MFT. These files are represented by MFT entries like any other file on the system.
Functions:
File Management: The MFT serves as a centralized database for managing files and directories, facilitating their creation, deletion, modification, and access control.
Data Retrieval: When the file system needs to access a file or directory, it consults the MFT to locate the relevant metadata and attributes associated with the requested entity.
Forensic Analysis: During forensic investigations, analysts often examine the MFT to reconstruct file system activity, track file modifications, recover deleted files, and gather evidence related to file usage and access.
Collection:
Investigation with Kape.
We'll use KAPE to acquire the NTFS Master File Table ($MFT) and journals. Then, we'll employ MFTECmd to parse the MFT.
Kape triage compound target, showcasing snippets of the MFT, $J, and link files targets. The output structure of Kape, with raw files and parsed outputs, is detailed, emphasizing the efficiency of this workflow in gathering artifacts for analysis.
Now as Kape can be used as GUI version or Cmd version its depend upon you.
command
We are going to deep delve into Tool MFTECmd.exe which we use to parse $MFT artifacts:
The command we have used to collect artifact after collection when you unzip you will find --vhdx file when you double click windows will automatically mount a new drive with next available drive letter in this case F:\
Parsing:
Command for Parse artifact using MFTECmd:
For $MFT:
cmd :- MFTECmd.exe -f F:\C\$MFT --csv C:\Users\User\Downloads --csvf mft.csv
-f (flag)
F:\C\$MFT (mounted drive when you done collection you get drive double click it will get mounted on your folder) like normal drive
--csv C:\Users\User\Downloads (path where you want to store)
--csvf sds.csv (file name)
Analyzing:
Analyses of $MFT Output:
Column Headers:
As we begin our exploration, take note of the extensive list of column headers. These headers provide essential information about MFT entries, including file names, sizes, and crucially, timestamps.
Understanding Timestamps:
Each timestamp column corresponds to specific aspects of file operations, such as creation (B), modification (M), and access (A). The timestamps are presented in a hex format.
with hex 0x10 denoting standard information timestamps accessible via the Windows API
while hex 0x30 represents file name timestamps accessible only by the Windows kernel.
Detecting Time Stomping
Time stomping can be detected by comparing these two time stamp $SI and $FN we can identify time stomping.
Wanna know more go through the blog again to understand time stomping.
Blog Headline: Anti-Forensics: Timestomping
Interpreting Blank Timestamps:
You may notice some blank timestamps in columns ending with hex 0x30. These blanks signify that the $file name timestamps are identical to the corresponding $standard information timestamps. This design choice reduces noise in the data and directs attention to entries where timestamps diverge, aiding in identifying suspicious activities.
Akash Patel
Comments