Anti-Forensics
Last updated
Last updated
only some application will legitimately alter timestamps; e.g. cloud application don't want to update a file creation when you download a shared doc, so will manipulate it with it's old time.
Malicious actions can be identified by the following steps:
compare and timestamps. (can be done on the following tools: , and FTK Imager)
Check for all zeros in the decimal place. Windows stores time in nano seconds, so looking for zeros e.g. 14:00:00+00:00
Compare ShimCache/ AppCompatCache timestamp with file modification times. Should see matching timestamps!
Check the embedded compile time against the timestamp; the file shouldn't be compiled after written to disk. both and Exiftool can check this
look in the $I30 (parent directory) index as they contain full set of $SI timestamps and MFT entry number with sequence number to conclusively track the file.
The provides visibility into changes to files on file system, including creation time
NTFS creates new files at the same time, likely that those files will have near sequential record numbers
tools are typically configured to scan for known file signatures at the start of clusters and 'carve' files data when the signature is located. The file signature is the magic number of the file, e.g. for windows executables it's MZ in ASCII or 0x 45 5a 90 00. Solid State Drives (SSDs) are normally unreliable for carving and will result in partial recovery; mechanical drives are normally fairly fruitful.
look for prefetch files (.pf), lnk file (.lnk) and ReverseEngineering metadata files ($I)
Privacy cleaners normally target key areas in the Registry including:
WordWheelQuery (keyword searches)
UserAssist (Gui Applications launched)
ComDlg32 (use of the open/save dialog box)
RecentDocs (recently opened files)
As when the file is deleted, it would be seen as sparse space within the NTFS attributes; file wipers will fill the blank space with identifiable numbers
Detection steps include:
A new Directory names 'BCW-DIR-NODES' is created
All the 'SECRET.txt!!!!!!!!!!!!!!!' files are moved to the 'BCW-DIR-NODES' folder, after moving and being renamed to 'dir1', 'dir2' etc, they are deleted, along with the tmp folder (created in step 3) and the directory (created in step 5)
built in windows tool, convienient and under the radar!
you find a new dir names "EFSTMPWP" created in the root of a volume (on the first time the tool is run) temp files are created and filles with data to overwrite free space normally named 'fil<xxxx>.tmp' where xxxx are random alphanumeric values.
VSS/VSC can be used to recover the files that were deleted on the machine (assuming they weren't deleted). VSS has a copy-on-write (COW) system that only stored data differences
The files that aren't backed up are stored in:
Win8 introduces 'ScopeSnapshots' that is enabled will 'monitor files in the boot volume that are relevant for system restore only'
Libvshadow, vshadowinfo and vshadowmount for Linux. ource can be a raw image but can't be E01
Example carve:
use the SIFT508 version as it's a patched vshadowmount
Whilst the keys are deleted, they are not immediately removed in the Registry; if a key is recoverable then you are more than likely able to recover the value. Copies of both Registry data and after deleted are normally available for a week or so; and are also stored in the Volume Shadow Copy
Wipes files, directories and free space. Replaces file.txt with AAAA.AAA this will also be put into the as "DataOverwrite" not as a "FileDelete".
Effectively clears and , removes file slack, slack spaces on the NTFS drive, Claims to wipe temp data stored in
Testing proves removal is fairly low and also the isn't touched!
renames the file within the from 'test123' to 'hgfadsf' (or equivalent random chars
Final action on target file was 'FileDelete', followed by a few 'DataOverwrite' and then a 'StreamChange' signifying the was altered
Then created a hidden file '~BCWipe.tmp' (good IOC) with the same entry number as the deleted file
Then created lots of files named 'SECRET.txt!!!!!!!!!!!!!!!' (this is to fill up the directory listings)
In total, it creates around 1700 entries in the
open-source tool been around since 2003 - Not able to clear deleted entries in the slack directory indexes. also does not full erase the record for the target file but the file was renamed! Eraser cannot delete the which still had the URL of the download
Eraser does rename files 7 times before deletion and changes the timestamps (date modify to Jan 1 1601 this is windows zeroing out) in both and however, by changing the time, caused the entry change (C) time to get updated for , so the (C) time was consistently valid.
- is a great tool to read VSC's