Daily Blog #212: Let's talk about MTP Part 4

Let's talk about MTP Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
        Let's get back to this series. If you've read Nicole Ibrahim's blog you've already seen most of this data, I'm just doing my own testing to confirm her findings and see what else I find. Today let's look at artifacts of file access from an Android phone using MTP.

I again attached my AT&T Avail 2 and this time opened up the file I copied on to it, shellbags.pl. Following Nicole's research, found here, I went to the WPDNSE directory located under:
"C:\Users\\AppData\Local\Temp\WPDNSE\"
from there I found a folder with the GUID name:
"{00000025-0001-0001-0000-000000000000}"
located under it was the shellbags.pl file I accessed from the phone as expected. There will be one GUID folder created for every folder that a file is accessed from within the MTP device, for all MTP devices accessed. To determine which folder or device this GUID came from you'll have to go to the shellbags. We'll cover that tomorrow and look for other sources of this correlation.

 What was interesting to me that I didn't see Nicole mention was the dates on the file located under the GUID folder. The creation date of the file was set to the time I accessed the file from the phone, not the time the file was copied to the phone.

Let's talk about MTP Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog


The modification time of the file corresponded to the original modification date of the file I copied onto the MTP device in the prior test. When looking at the files through the MTP shell extension I notice that only the modification date is displayed in the properties.

Let's talk about MTP Part 4 by David Cowen - Hacking Exposed Computer Forensics Blog


I copied a file into the same directory on the Android phone via MTP again, this time with the WPDNSE directory open, but no temporary file got created. So we get artifacts within the WPDNSE directory from file accesses via MTP but not from file copies to a MTP device.

Tomorrow let's look what other artifacts are left from these file copies and accesses.

Also Read:

Post a Comment