Windows MACB Timestamps (NTFS Forensics)
iSpeech
As a continuation of the "Introduction to Windows Forensics" series, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. We will first cover the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, we will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, we will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then we’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, we’ll take a look at something interesting I recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.
Introduction to Windows Forensics:
MAC Times:
http://forensicswiki.org/wiki/MAC_times
I’m Your MAC(b) Daddy:
https://www.defcon.org/images/defcon-19/dc-19-presentations/Lenik/DEFCON-19-Lenik-MAC(b)Daddy.pdf
Timestomp:
http://forensicswiki.org/wiki/Timestomp
analyzeMFT:
https://github.com/dkovar/analyzeMFT
Digital Forensics: Detecting Time Stamp Manipulation:
https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
2017-08-14 11:25:21
source
Gloss