Saturday, November 3, 2018

Daily Blog #527: Solution Saturday 11/3/18

Hello Reader,
             This week I got multiple qualifying submissions all of which answered the base challenge, meaning that it came down to the most complete answer. This week a new challenger arises victorious!

Sandor Tokesi in his first submission has won the day with not only addressing the challenge for both Windows 7 and Windows 10 but also including both the Standard Information and Filename timestamps while including multiple copy scenarios. 

Well done Sandor! Tomorrow a new challenge to try for!

The Challenge:
What does performing a copy and paste across two NTFS volumes do to timestamps of the file being copied and the file that is created due to the copy in Windows 7 and Windows 10.

The Winning Answer:

Timestamp changes in case of copy command (Win7, Win10)

Investigating timestamp differences between Windows 7 and Windows 10.

I intended to figure out how MACB timestamps of the original and the newly created files are changing during a file copy in Windows. I also checked the differences between the results of the GUI based  copy and paste method and the command line based copy command. I compared the changes in case of an in-volume copy and in case of copying to a different volume as well.


Tools:
These are the tools that were used during my investigation.
       Microsoft Windows 10 64-bit v10.0.17134.345
       Microsoft Windows 7 Enterprise SP1
       FTK Imager 4.2 - for creating images about the drives and to save the MFT file
       analyzeMFT.py - for MFT parsing (https://github.com/dkovar/analyzeMFT)


MACB
An NTFS volume stores 8 different timestamps for a single file. These timestamps are the followings:
       Modified
       Accessed
       Changed (Info Entry date change)
       Birth (file creation time)
All of these 4 information snippets are stored in the $STANDARD_INFO and in the $FILE_NAME as well.



The difference between the two attributes:
       $STANDARD_INFO: can be modified by user level processes. Therefore it can be altered by anti-forensics utilities.
       $FILE_NAME: can only be modified by the system kernel. No known anti-forensics tools can modify it.



Method of investigation
1)    I generated two files in an NTFS volume.
2)    Copied one of the files with copy paste and the other one with copy command from command line into a different directory.
3)    Generated two files in an NTFS volume to test out-of-volume copy.
4)    Copied one of the files with copy paste and the other one with copy command from command line into a different volume.

After every step I generated an image of the affected volumes which resulted in 5 different images for both OSs.

I collected the $MFT files from the images and parsed their content with analyzeMFT.py. Finally I compared the collected timestamps.

Here are the timestamps of my tests (blues are the changed values and greens are the unchanged ones.):