Anti-Forensics

TimeStamp manipulation

only some application will legitimately alter timestamps; e.g. cloud application don't want to update a file creation when you download a shared doc, so will manipulate it with it's old time.

Malicious actions can be identified by the following steps:

  1. compare $FILE_NAME and $STANDARD_INFORMATION timestamps. (can be done on the following tools: MFTECmd FLS,istat and FTK Imager)

  2. Check for all zeros in the decimal place. Windows stores time in nano seconds, so looking for zeros e.g. 14:00:00+00:00

  3. Compare ShimCache/ AppCompatCache timestamp with $STANDARD_INFORMATION file modification times. Should see matching timestamps!

  4. Check the embedded compile time against the timestamp; the file shouldn't be compiled after written to disk. both sigcheck.exe and Exiftool can check this

  5. look in the $I30 (parent directory) index as they contain full set of $SI timestamps and MFT entry number with sequence number to conclusively track the file.

  6. The NTFS provides visibility into changes to files on file system, including creation time

  7. NTFS creates new files at the same time, likely that those files will have near sequential $MFT record numbers

File Deletion

Carving Vs Metadata

Carving

tools are typically configured to scan for known file signatures at the start of clusters and 'carve' files data when the signature is located. The file signature is the magic number of the file, e.g. for windows executables it's MZ in ASCII or 0x 45 5a 90 00. Solid State Drives (SSDs) are normally unreliable for carving and will result in partial recovery; mechanical drives are normally fairly fruitful.

look for prefetch files (.pf), lnk file (.lnk) and ReverseEngineering metadata files ($I)

Privacy cleaners

Privacy cleaners normally target key areas in the Registry including:

  • WordWheelQuery (keyword searches)

  • UserAssist (Gui Applications launched)

  • ComDlg32 (use of the open/save dialog box)

  • RecentDocs (recently opened files)

Whilst the keys are deleted, they are not immediately removed in the Registry; if a key is recoverable then you are more than likely able to recover the value. Copies of both Registry data and $LogFile after deleted are normally available for a week or so; and are also stored in the Volume Shadow Copy

File Wipers

As when the file is deleted, it would be seen as sparse space within the NTFS attributes; file wipers will fill the blank space with identifiable numbers

SDelete

Wipes files, directories and free space. Replaces file.txt with AAAA.AAA this will also be put into the $Extend\$UsnJrnl as "DataOverwrite" not as a "FileDelete".

BCWipe

Effectively clears $I30 and $MFT , removes file slack, slack spaces on the NTFS drive, Claims to wipe temp data stored in $LogFile

Testing proves $LogFileremoval is fairly low and also the $Extend\$UsnJrnl isn't touched!

Detection steps include:

  1. renames the file within the $Extend\$UsnJrnl from 'test123' to 'hgfadsf' (or equivalent random chars

  2. Final action on target file was 'FileDelete', followed by a few 'DataOverwrite' and then a 'StreamChange' signifying the Alternative Data Streams (ADS) was altered

  3. Then created a hidden file '~BCWipe.tmp' (good IOC) with the same $MFT entry number as the deleted file

  4. Then created lots of files named 'SECRET.txt!!!!!!!!!!!!!!!' (this is to fill up the $I30 directory listings)

  5. A new Directory names 'BCW-DIR-NODES' is created

  6. All the 'SECRET.txt!!!!!!!!!!!!!!!' files are moved to the 'BCW-DIR-NODES' folder, after moving and being renamed to 'dir1', 'dir2' etc, they are deleted, along with the tmp folder (created in step 3) and the directory (created in step 5)

In total, it creates around 1700 entries in the $Extend\$UsnJrnl

Eraser

open-source tool been around since 2003 - Not able to clear deleted entries in the $I30 slack directory indexes. also does not full erase the $MFT record for the target file but the file was renamed! Eraser cannot delete the Zone.Identifier ADS which still had the URL of the download

Eraser does rename files 7 times before deletion and changes the timestamps (date modify to Jan 1 1601 this is windows zeroing out) in both $FILE_NAME and $STANDARD_INFORMATION however, by changing the time, caused the $MFT entry change (C) time to get updated for $STANDARD_INFORMATION , so the (C) time was consistently valid.

Cipher.exe

built in windows tool, convienient and under the radar!

you find a new dir names "EFSTMPWP" created in the root of a volume (on the first time the tool is run) temp files are created and filles with data to overwrite free space normally named 'fil<xxxx>.tmp' where xxxx are random alphanumeric values.

Volume Shadow Copy

VSS/VSC can be used to recover the files that were deleted on the machine (assuming they weren't deleted). VSS has a copy-on-write (COW) system that only stored data differences

The files that aren't backed up are stored in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackuoRestore\FilesNotToSnapshot

Win8 introduces 'ScopeSnapshots' that is enabled will 'monitor files in the boot volume that are relevant for system restore only'

Arsenal image mounter - is a great tool to read VSC's

Libvshadow, vshadowinfo and vshadowmount for Linux. ource can be a raw image but can't be E01

vshadowinfo [-o offset] <source> 
ewfmount <image>
vshadowmount [-o offset] <source> <mount>
cd <mount>
for i in vss*; do mount -o ro,show_sys_files,streams_interface=windows $i /mnt/shadow_mount/$i; done

Vss_carver.py

vss_carver.py -t <disk_image_type> -o <volume_offset_in_bytes> -i <disk_image> -c <catalog_file> -s <store_file>
vshadowmount -o <volume_offset_in_bytes> -c <catalog_file> -s <store_file> <disk_image> <mount_point>

Example carve:

use the SIFT508 version as it's a patched vshadowmount

# use vss_carver against the image
vss_carver -t RAW -i /mnt/ewf_mount1/ewf1 -o 0 -c ~/vsscarve-vasefile/catalog -s ~/vsscarve-basefile/store
# Review recovered VSC
vss_catalog_manipulator list ~/vsscarve-basefile/catalog
# Present recovered VSCs as raw disk images
vshadowmount -o 0 -c ~/vsscarve-vasefile/catalog -s ~/vsscarve-basefile/store /mnt/ewf_file/ewf1 /mnt/vsscarve_basefile/
# mount all logical filesystems of snapshot
cd /mnt/vsscarve-basefile/
for i in vss*; do mount -o ro,show_sys_files,streams_interface=windows $i /mnt/shadowcarve_basefile/$i; done
PreviousWindowsNextMicrosoft Forensics

Last updated