Wednesday, November 3, 2010

Detecting time stamp manipulations in the file system

Awesome article from SANS computer forensics blog entitled Digital Forensics: Detecting time stamp manipulation.

The post describes how to spot time stamp manipulations when performing a forensic analysis.

The NTFS file system stores the time stamps in two different attributes ($STANDARD_INFORMATION and $FILE_NAME) and both have the fields Modification, Accessed , Change and Born.

Dave Hull used the $FILE_NAME attribute to spot the time stamp manipulations that may be done by tools like  timestomp or Metasploit.

$FILE_NAME is not a standard attribute that can be extracted with all forensics tools,  but Mark McKinnon has written a tool called mft_parser (not released yet) that can do that.

mft_parser_cl <MFT> <db> <bodyfile> <mount_point> 
The “db” argument is the name of a sqlite database that the tool creates, “bodyfile” is similar to the bodyfile that fls from Brian Carrier’s The Sleuth Kit produces, except that it will also include time stamps from NTFS’ $FILE_NAME attribute. The “mount_point” argument is prefixed to the paths in the bodyfile, so if you’re running this tool against a drive image that was drive C, you can provide “C” as an argument.


Notes:
Bodyfile: listing of files and directories in a file system, with its time stamps.

No comments:

Post a Comment