Windows MACB Timestamps (NTFS Forensics)
Вставка
- Опубліковано 26 вер 2024
- As a continuation of the "Introduction to Windows Forensics" series, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. We will first cover the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, we will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, we will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then we’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, we’ll take a look at something interesting I recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.
Introduction to Windows Forensics:
• Introduction to Window...
MAC Times:
forensicswiki.o...
I’m Your MAC(b) Daddy:
www.defcon.org...
Timestomp:
forensicswiki.o...
analyzeMFT:
github.com/dko...
Digital Forensics: Detecting Time Stamp Manipulation:
digital-forens...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
I passed my GCFA yesterday due to this video and your others! Tough test, but your content really helped. Just became a patron - thanks for what you do!
That’s awesome - thank you!
I've begun watching your videos recently and they're extremely useful! Thanks a lot
This is really a very informative video.. all you need to know about the title and new discovery. Thank you for the efforts in putting it all together.
Thank you so much! I am working on my GCFE and these videos are helping me alot. 🙏
Great job on the content. This helped reinforce some of the learning material from SANS 508. Keep up the great videos!
Thank you so much for the explanation :)
I really appreciate how well you explain the content to the least common denominator (me).
Great Job, Awesome content, perfect flow..you never let audience sleep..keep it up...I will wait for more new videos
IT would also be great to do a SANS SIFT Video
Date Accessed has been updated. I tried this in Windows 10 and it updated along with the modification date.
Yes, this has recently changed. However, the access timestamp is still not very forensically relevant because there are just too many variations in how and when it is updated. The M and B in MACB tend to be the ones we focus on the most.
very useful video.
You are a great teacher!
Regarding the copy on bash, I'd assume that it's not calling the native OS function to copy, but rather it is scripted internally, so it creates a new file, possibly forgetting to set the timestamps later (as it is in beta).
Now things may have changed, but I don't know really, as I don't use bash.
Would be interesting if you will make a video about Steganography and Cryptography.
Thanks it was a good video.
Just a thought, maybe adding '-p' to the bash cp command will preserve the timestamps. This is how it works on Linux.
Great Video sir! Thanks for sharing :-)
I have Win 10 22H2 and it appears that when I modify a file, the Accessed time is also changing. Wondering if the default changed in the recent versions.
Sure did! I have an episode coming out in January that addresses that.
Love your channel. Thank you for the content. If you open a patreon and plan on releasing more timely content, I'd be thrilled to donate monthly to the cause.
Ryan Horton Thanks! I actually do have a Patreon - patreon.com/13cubed. One pre-release video is available to patrons now, and another coming Friday.
I'm looking forward to it! Checking Patreon out now!
Great work..Keep it up !!!
the timestomp tool isnt out there anymore ?
Hello @13Cubled I have tried to change file content and i observed there is modification and access time stamp is change. as per your video access time stamp is not changes. and my drive type is NTFS as well.
Access timestamp behavior has changed in more recent versions of Windows 10. In short, don't depend on that timestamp for any forensic purposes. There are just too many circumstances under which it could be updated.
@@13Cubed Thanks for update
He sounds way to chipper for 1:40 AM--mind you.... Great vid though
Way "too" chipper... Correction
Always appreciate your great Work ,I have a question : what is the difference between analyzeMFT & MFTcmd from EricZimmerman-Tools
To my knowledge, analyzeMFT isn't being maintained any longer. Further, MFTECmd has many more features, including the ability to analyze the $UsnJrnl (and coming later, $LogFile).
NTFS says that $Filename attribute timestamps will be changed if file renaming happens. But according to SANS table timestamps rules (file rename column) there is no modification of any $FN timestamps, why its so?
Upon a file rename, only $SI will change (the C, in MACB, recording an NTFS metadata change). $FN timestamps will not change, as shown here: www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
Is see the access time(A) changes when I modify a file. The registry is set to 80000003 in windows 10.
From what I am reading, something has changed in April 1803 update.
san0106chit Indeed - I’ve seen newer versions of Windows modify the access timestamp in inconsistent ways. That said, this is usually not a forensically useful timestamp in most cases, and I generally ignore it and focus on modification and creation.
Videos are great but I will be better if you zoom the screen
This was an older episode. You will notice a drastic increase in production quality in more recent episodes.
Trying to replicate the matrix on a Windows 10 Version 1809 (Build 17763.134) I found out that whenever I edit the file content, the Date Accessed also changes (in addition to the Date modified).
I've tried with disablelastaccess disabled or enabled and it's the same behavior.
Any thoughts?
Mcs Wks I’ve seen some newer versions of Windows modify the access timestamp in inconsistent ways. In short, this is not a forensically useful timestamp in most cases, and I generally ignore it and focus on modification and creation.
@@13Cubed Thanks for the quick reply. You are the best!!!
It's likely that the bash program copies quite literally by redirecting the output of the file into a new file. So it creates a file, and then copies all the data into it.
Do you think it copied all the data (less than 1 kB) in less than 0.1 milliseconds? This would explain why the modification and entry modification time-stamps are equal to the others.
Perhaps it would prove useful to re-run this experiment with a larger file.
Also this is very Good !!!