> For the complete documentation index, see [llms.txt](https://f1rstbyt3.gitbook.io/hacking-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/forensics/windows/anti-forensics.md).

# Anti-Forensics

## TimeStamp manipulation

only some application will legitimately alter timestamps; e.g. cloud application don't want to update a file creation when you download a shared doc, so will manipulate it with it's old time.&#x20;

Malicious actions can be identified by the following steps:&#x20;

1. compare [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdfile_name) and [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdstandard_information)timestamps. (can be done on the following tools: [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#mftecmd) [FLS & Mactime](/hacking-notes/dfir/forensics/forensics-tooling/fls-and-mactime.md#fls),[NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#istat) and `FTK Imager`)
2. Check for all zeros in the decimal place. Windows stores time in nano seconds, so looking for zeros e.g. `14:00:00+00:00`  &#x20;
3. Compare [ShimCache/ AppCompatCache](/hacking-notes/dfir/forensics/windows/microsoft-forensics/shimcache-appcompatcache.md) timestamp with [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdstandard_information)file modification times. Should see matching timestamps!
4. Check the embedded compile time against the timestamp; the file shouldn't be compiled after written to disk. both [/pages/V38livylAba8xRe2Wk4w#sigcheck.exe](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/forensics/windows/pages/V38livylAba8xRe2Wk4w#sigcheck.exe "mention") and `Exiftool` can check this
5. look in the $I30 (parent directory) index as they contain full set of $SI timestamps and MFT entry number with sequence number to conclusively track the file.&#x20;
6. The [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdextend-usnjrnl) provides visibility into changes to files on file system, including creation time
7. [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md) creates new files at the same time, likely that those files will have near sequential [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdmft) record numbers

## File Deletion&#x20;

### Carving Vs Metadata

#### Carving

tools are typically configured to scan for known file signatures at the start of clusters and 'carve' files data when the signature is located. The file signature is the magic number of the file, e.g. for windows executables it's MZ in ASCII or `0x 45 5a 90 00`. Solid State Drives (SSDs) are normally unreliable for carving and will result in partial recovery; mechanical drives are normally fairly fruitful.&#x20;

look for prefetch files (`.pf`), lnk file (`.lnk`) and [ReverseEngineering](/hacking-notes/dfir/reverseengineering.md) metadata files (`$I`)

## Privacy cleaners

Privacy cleaners normally target key areas in the [Registry](/hacking-notes/dfir/forensics/windows/microsoft-forensics/registry.md) including:&#x20;

* `WordWheelQuery` (keyword searches)&#x20;
* `UserAssist` (Gui Applications launched)&#x20;
* `ComDlg32` (use of the open/save dialog box)
* `RecentDocs` (recently opened files)

Whilst the keys are deleted, they are not immediately removed in the [Registry](/hacking-notes/dfir/forensics/windows/microsoft-forensics/registry.md); if a key is recoverable then you are more than likely able to recover the value. Copies of both [Registry](/hacking-notes/dfir/forensics/windows/microsoft-forensics/registry.md) data and [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdlogfile) after deleted are normally available for a week or so; and are also stored in the [#volume-shadow-copy](#volume-shadow-copy "mention")

## File Wipers

As when the file is deleted, it would be seen as sparse space within the NTFS attributes; file wipers will fill the blank space with identifiable numbers

#### SDelete

Wipes files, directories and free space. Replaces `file.txt` with `AAAA.AAA` this will also be put into the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdextend-usdusnjrnl) as "DataOverwrite" not as a "FileDelete".&#x20;

#### BCWipe&#x20;

Effectively clears [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdi30) and [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdmft), removes file slack, slack spaces on the NTFS drive, ***Claims to*** wipe temp data stored in [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdlogfile)

Testing proves [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdlogfile)removal is fairly low and also the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdextend-usdusnjrnl) isn't touched!&#x20;

Detection steps include:&#x20;

1. renames the file within the  [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdextend-usdusnjrnl) from 'test123' to 'hgfadsf' (or equivalent random chars
2. Final action on target file was '`FileDelete`', followed by a few '`DataOverwrite`' and then a '`StreamChange`' signifying the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#alternative-data-streams-a-ds) was altered
3. Then created a hidden file '`~BCWipe.tmp`' (good IOC) with the same [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdmft)entry number as the deleted file&#x20;
4. Then created lots of files named '`SECRET.txt!!!!!!!!!!!!!!!`'  (this is to fill up the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdi30) directory listings)
5. A new Directory names '`BCW-DIR-NODES`' is created&#x20;
6. All the '`SECRET.txt!!!!!!!!!!!!!!!`' files are moved to the '`BCW-DIR-NODES`' folder, after moving and being renamed to '`dir1`', '`dir2`' etc, they are deleted, along with the tmp folder (created in step 3) and the directory (created in step 5)

In total, it creates around 1700 entries in the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdextend-usdusnjrnl)

#### Eraser

open-source tool been around since 2003 - Not able to clear deleted entries in the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdi30) slack directory indexes. also does not full erase the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdmft)record for the target file but the file was renamed! Eraser cannot delete the [/pages/vdRlZ5iwKSWKOh01uPsQ#zone.identifier-a-ds](https://f1rstbyt3.gitbook.io/hacking-notes/dfir/forensics/windows/pages/vdRlZ5iwKSWKOh01uPsQ#zone.identifier-a-ds "mention") which still had the URL of the download

Eraser does rename files 7 times before deletion and changes the timestamps (date modify to Jan 1 1601 this is windows zeroing out)  in both [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdfile_name) and [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdstandard_information)however, by changing the time, caused the [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdmft) entry change (C) time to get updated for [NTFS](/hacking-notes/dfir/forensics/windows/microsoft-forensics/ntfs.md#usdstandard_information), so the (C) time was consistently valid.&#x20;

#### Cipher.exe&#x20;

built in windows tool, convienient and under the radar!&#x20;

you find a new dir names "`EFSTMPWP`" created in the root of a volume (on the first time the tool is run) temp files are created and filles with data to overwrite free space normally named '`fil<xxxx>.tmp`' where xxxx are random alphanumeric values.&#x20;

## Volume Shadow Copy&#x20;

VSS/VSC can be used to recover the files that were deleted on the machine (assuming they weren't deleted). VSS has a copy-on-write (COW) system that only stored data differences

The files that aren't backed up are stored in:

```powershell
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackuoRestore\FilesNotToSnapshot
```

Win8 introduces '`ScopeSnapshots`' that is enabled will 'monitor files in the boot volume that are relevant for system restore **only'**&#x20;

[Arsenal image mounter](https://arsenalrecon.com/products/arsenal-image-mounter) - is a great tool to read VSC's

`Libvshadow`, `vshadowinfo` and `vshadowmount` for Linux. ource can be a raw image but can't be E01

```bash
vshadowinfo [-o offset] <source> 
ewfmount <image>
vshadowmount [-o offset] <source> <mount>
cd <mount>
for i in vss*; do mount -o ro,show_sys_files,streams_interface=windows $i /mnt/shadow_mount/$i; done
```

#### [Vss\_carver.py](https://github.com/mnrkbys/vss_carver)

```bash
vss_carver.py -t <disk_image_type> -o <volume_offset_in_bytes> -i <disk_image> -c <catalog_file> -s <store_file>
vshadowmount -o <volume_offset_in_bytes> -c <catalog_file> -s <store_file> <disk_image> <mount_point>
```

Example carve:&#x20;

use the SIFT508 version as it's a patched `vshadowmount`

```bash
# use vss_carver against the image
vss_carver -t RAW -i /mnt/ewf_mount1/ewf1 -o 0 -c ~/vsscarve-vasefile/catalog -s ~/vsscarve-basefile/store
# Review recovered VSC
vss_catalog_manipulator list ~/vsscarve-basefile/catalog
# Present recovered VSCs as raw disk images
vshadowmount -o 0 -c ~/vsscarve-vasefile/catalog -s ~/vsscarve-basefile/store /mnt/ewf_file/ewf1 /mnt/vsscarve_basefile/
# mount all logical filesystems of snapshot
cd /mnt/vsscarve-basefile/
for i in vss*; do mount -o ro,show_sys_files,streams_interface=windows $i /mnt/shadowcarve_basefile/$i; done
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/dfir/forensics/windows/anti-forensics.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
