Hello Reader,
This week I got multiple qualifying submissions all of which answered the base challenge, meaning that it came down to the most complete answer. This week a new challenger arises victorious!
This week I got multiple qualifying submissions all of which answered the base challenge, meaning that it came down to the most complete answer. This week a new challenger arises victorious!
Sandor Tokesi in his first submission has won the day with not only addressing the challenge for both Windows 7 and Windows 10 but also including both the Standard Information and Filename timestamps while including multiple copy scenarios.
Well done Sandor! Tomorrow a new challenge to try for!
The Challenge:
What does performing a copy and paste across two NTFS volumes do to timestamps of the file being copied and the file that is created due to the copy in Windows 7 and Windows 10.
The Winning Answer:
Timestamp changes in case of copy command (Win7, Win10)
Investigating timestamp differences between Windows 7 and Windows 10.
I intended
to figure out how MACB timestamps of the original
and the newly created files are changing during a file copy in Windows.
I also checked
the differences between the results
of the GUI based copy and paste method and the command
line based copy command. I compared
the changes in case of an in-volume
copy and in case of copying
to a different
volume as well.
Tools:
These are the tools that were used during my investigation.
• Microsoft Windows 10 64-bit v10.0.17134.345
• Microsoft Windows 7 Enterprise SP1
• FTK Imager 4.2 - for creating images about the drives
and to save the MFT file
• analyzeMFT.py - for MFT parsing (https://github.com/dkovar/analyzeMFT)
MACB
An NTFS volume stores 8 different
timestamps for a single file. These timestamps are the followings:
• Modified
• Accessed
• Changed (Info Entry date change)
• Birth (file creation time)
All of these 4 information snippets are stored in the $STANDARD_INFO and in the $FILE_NAME as well.
The difference between the two attributes:
•
$STANDARD_INFO: can be modified by user level processes. Therefore it can be altered by anti-forensics utilities.
•
$FILE_NAME: can only be modified by the system
kernel. No known anti-forensics tools can modify it.
Method of investigation
1)
I generated
two files in an NTFS volume.
2)
Copied one of the files with copy paste and the other one with copy command from command
line into a different
directory.
3)
Generated two files in an NTFS volume to test out-of-volume copy.
4)
Copied one of the files with copy paste and the other one with copy command from command
line into a different
volume.
After every step I generated an image of the affected volumes which resulted in 5 different
images for both OSs.
I collected
the $MFT files from the images and parsed
their content with analyzeMFT.py. Finally I compared
the collected timestamps.
Here are the timestamps of my tests (blues are the changed values and greens are the unchanged ones.):
Also Read: Daily Blog #526
Post a Comment