Section 4.3: Filesystem Timeline Creation and Analysis

Question 1

Name the four Windows NTFS Timestamps. Which one would analyst mainly focus on?

Answer 1

(M) last modification, (A) last access, (C) last metadata change time, (B) file creation time. Focus on (M) & (B).

Question 2

What time formats does NTFS and FAT systems use?

Answer 2

NTFS uses 64-bit FILETIME UTC and FAT uses local computer time.

Question 3

What timestamps are updated if a volume file is moved via CLI?

Answer 3

(A) & (B)

Question 4

What timestamp is updated if a volumne file is moved through copy & paste?

Answer 4

(A)

Question 5

What timestamps are updated if a file is copied?

Answer 5

(A), (C), & (B)

Question 6

What can disrupt timestamp rules?

Answer 6

Applications, anti-forensics, archiving, and antivirus scanning.

Question 7

How can I discover the date/time a malicious application was sent to a remote system?

Answer 7

Check the creation time of the application as this can serve the date it was used for lateral movement.

Question 8

What is MFTECmd.exe and what files can it use as input?

Answer 8

It extracts metadata and prepares as a bodyfile for mactime to use. Files it can parse are: MFT, J, LogFile, Boot, and SDS.

Question 9

What is alternative tool for extracting metadata to create a bodyfile?

Answer 9

Fls

Question 10

What are the main differences between MFTECmd.exe and Fls?

Answer 10

MFTECmd.exe only parses NTFS filesystems while Fls can use more. Fls can extract metadata from an image (the whole drive) while MFTECmd.exe depends on $MFT file. Fls can also be used on live systems.

Question 11

What does the mactime tool do?

Answer 11

It grabs the bodyfile created from MFTECmd or Fls and makes the data human readable.