There is a considerable amount of forensic goodness in the $MFT on NTFS partitioned disks. What is a $MFT? Well the $MFT is the master file table on NTFS partitions that is a kind of database that keeps track of all the files on the partition including its location and metadata about the file. I am not going to delve into the depths of the format of NTFS because it has already been explained in numerous books like File System Forensics by Brain Carrier. What I am going to do is quickly summarize the "goodness" available in the $MFT and how you can extract this data with a EnScript I have authored.
The $MFT contains an entry for every file and directory on a partition including itself. Important metadata with in a $MFT are the name of the file, inode number, standard information attribute, file name attributes and data attribute. The size of a $MFT record is 1024 bytes. Below is an example of a $MFT record:
The header of a $MFT record is "FILE0". A $MFT record entry can contain the contents of a file if the size of the file fits into the allotted size for data attribute. Below is a $MFT record broken down into what I think are its important parts.
The standard information attribute (SIA) will contain the file times most people are used to seeing on the file system such as created, last written, last accessed and last modified. These times can also be easily changed by the attacker, the "worst" forensic problem ever until now because now you will know about the file information attribute (FIA). The FIA stores dates associated with the file's name and parent directory. These dates cannot be altered using Windows API calls like the SIA can. The meta data kept in the file information attribute consists of the file name creation date, file name modified date, file name last written and file name last accessed. Comparing the SIA to the FIA can detect the dreaded timestomping but be aware of the number of times this happens on a non-compromised or purposely altered system so stick to time windows when doing this type of analysis. To find all these times you are going to have to parse them by hand, wait no you don't there's a script for that below:MFTParser.EnScript
The EnScript I created, inspired by Keith Gould, will parse the important information mentioned above for you and provide you with a tab separated text file you can open up in Excel or parse with your favorite awk command. Don't worry I am not forgetting about the $MFT slack section mentioned above in the important parts, I will go over it in the next post.
3 comments:
i lkie this script
Hey Kelcey,
I just tried emailing you at kelcey.tietjen@mandiant.com but it seemed that didn't work. I loved the post on $MFT Parsing EnScripts you wrote in Aug. Would it be OK with you if I used a portion of it and cited back? My writing team should be completing a new blog post on a similar topic (digital forensic science) in the near future.
Thanks Much.
--
Sabrina K. Carliss
sabrinakc31@gmail.com
The secret to creativity is knowing how to hide your sources
Thank you from Ukraine forensics:)
----
itsability@gmail.com
Post a Comment