NTFS- File System Analysis

NTFS- File System Analysis

New Technology File System

Description:

The New Technology File System (NTFS) is a proprietary file system developed by Microsoft for Windows operating systems, known for its support of large volumes, advanced data structures, and security features such as file and folder permissions. NTFS provides enhanced performance, reliability, and disk space utilization compared to earlier file systems like FAT32.

Important Information:

  • $I30:The slack of $I30 may contain old files.

Path:

  • Root
    • $MFT
    • $J
    • $UsnJrnl
    • $LogFile
    • $I30

Analysis:

Software:

  • MFTECmd.exe (EZ)
    • 0x10 = $StandardInformation
    • 0x30 = $Filename (If it is blank it is the same as 0x10)

Alternative Data Stream

Timestamps

Important Information:

  • $STANDARD_INFO:Can be modified by user-level processes such as timestomp.
  • $FILE_NAME:Can only be modified by the system kernel. (There are no known anti-forensic utilities that can change the timestamps).
    • FileName contains the timestamp when a file was created in the file system.
  • MACB Timestamps1
    • (M) Modified:Indicates the last time the content of the file was altered.
    • (A) Accessed:Shows the last time the file was opened or read.
      • $STANDARD_INFO:Do not trust this, AV scans would also update this timestamp.
    • (C) Changed:Shows metadat or content change.
      • $FILE_NAME:Change file metadata.
    • (B) Born:Represents the creation time of the file, indicating when the file was originally created on the filesystem.
      • $STANDARD_INFO:Also know as Created On
  • Windows 11 timestamps change differently. 2

Analysis:

To see if a file’s timestamps have been tampered with using Timestomp, follow these example steps:

  • 1. Compare Timestamps:
    • Check if the $FILE_NAME timestamp is later than the $STANDARD_INFORMATION Creation Time.
  • 2.Look for Anomalies:
    • If $FILE_NAME shows a later time, it might mean someone has changed the $STANDARD_INFORMATION timestamps.
  • 3.Verify Modification and Birth Times:
    • Compare the Modification and Birth timestamps in both $FILE_NAME and $STANDARD_INFORMATION.
      If you find any discrepancies, it could indicate that the file has been timestomped.

Reference:

1.https://andreafortuna.org/2017/10/06/macb-times-in-windows-forensic-analysis/

2.https://www.khyrenz.com/post/windows-11-time-rules