Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for analysis.  As I mentioned in a recent blog we already have the perfect tool called icat which we will use to extract the MFT quickly from our image.  We know that in an NTFS file system the MFT always has a record number of 0 (also worthy of note at this point is that the MFT record number is also the inode address for that file) so therefore the following command is what I used to extract the MFT:

We now have the MFT stored on our local analysis system and are able to run analysis tools against it. Probably the best tool out there at the minute is the one we used on our course which has been written and developed by David Kovar (Many thanks to you!), it is called analyzeMFT.py and it comes pre installed on the SIFT workstation.

SIFT comes pre installed with an old version of the script. To grab the latest and greatest version which allows us to export to Excel without the known issues of the previous version, we download and run from GitHub:

Many thanks to Kev for his assistance as my resident Linux guru!
 
Basically we have downloaded the up to date script and need to be in the folder to run it. The final command above will produce the following:
 
 

So now I have the script running in my SIFT I want to run it against the MFT which I extracted earlier and to do so I run the following command:

MFT Analyze Command

The -e flag is the new addition to the script which allows for the export to an excel format without the corruption to the timings.

The -e flag is the new addition to the script which allows for the export to an excel format without the corruption to the timings.

Once that is completed I open the .csv file on my windows machine with Excel and am presented with a full listing of every MFT entry but more importantly all of the Creation/Accessed and modified times associated with each of its attributes also.  Another bonus is we have the record number of each and every file on the system which we can use to carve out any file using icat!

Some malware will try to alter the timestamps of files it is using to carry out it’s evil deeds, to allow the files to sit amongst others that were created at a different time, possibly the install time of the OS.  When it performs this anti forensics it is called Time stomping.
One way we can detect these anomalies is to look for standard info creation times which occur before the Filename creation times. Another anomaly to be aware of is all of the nanoseconds values are set to 0.

I decided to download timestomp.exe and use it on a file contained within my xp test environment so that I could better show how we can use the output to detect time stomping.  Below is a screenshot of the output from analyzeMFT with reference to the file I timestomped:

 

 

As you can see the $SI time is before the $FI time which was one of the anomalies I mentioned earlier that we should be looking for.

The full .csv we have just created provides us with the perfect data set to look for anomolies.

One comment to Timestamp Anomalies – $MFT

  • Swasti Bhushan Deb  says:

    Is it possible to extract out the MFT from a E01 file? I have done for .dd images..
    If so how?

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>