@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #534: Solution Saturday 11/10/18

Hello Reader,
         Another week and another round of quality submissions. Once again Sandor Tokesi
 has taken a win by including not just all of the file name and standard information attribute timestamps, he also tested cut and paste within a volume and between volumes. In addition he also tested the move command which the is the command line equivalent. As the rules state the most complete answer wins and in this case Sandor has the most complete answer submitted.

The Challenge:
What does performing a cut and paste across two NTFS volumes do to timestamps of the file being copied and the file that is created due to the copy in Windows 7 and Windows 10.

The Winning Answer:


Investigating the MACB timestamps change in case of file moving.
Checking how the timestamps are changing on Windows 7 and Windows 10 when moving the file to a different folder or to a different volume.


Used Tools:

       Windows 7 Home Premium SP1 Version: 6.1 (build 7601) I didnt get the results I expected so I checked a different (older) version of Win7 as well.
       Windows 7 Enterprise SP1
       Windows 10 Enterprise Version: 1803
       FTK Imager 4.2 - for creating images about the drives and to save the MFT file
       analyzeMFT.py - for MFT parsing (https://github.com/dkovar/analyzeMFT) The test was made between 11/4/2018 (Nov) and 11/5/2018 (Nov).
I tested this scenario with three different cut and paste methods:
       Command line: move command
       GUI-based CTRL-X and CTRL-V
       Drag and drop method (also gui based)


After summarizing my results I had some interesting findings:

1: There weren’t any differences between the results of my test on Windows 7 and Windows 10. Both of the OSs showed completely the same results.
This is especially interesting if we compare them to the SANS results on Windows 7/8 (https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident- Response-Poster-2012.pdf) and the results by CyberForensicator on Windows 10. (http://cyberforensicator.com/2018/03/25/windows-10-time-rules/).

While SANS has an A for Win 7/8 and the other team has a B result for Win10 I got the same C result for both of the OSs.
(find a comparison below)

2: The Drag and Drop method has different functions behind it, depending on the target Volume. If the target is the same volume (and a different directory), the Drag and Drop method moves the file. If the target is a different volume, this method behaves as a file copy. Because of this, in case of out-of- volume copy the Drag and Drop method is not a test for cut and paste but a test for copy and paste.
Here are pictures which show this difference:
The file was copied from the D drive, and the target is the D in the first and E in the second one.

3: Only the Entry (STD and FN) date timestamp was changed in case of in-volume copy for every OSs and methods.

4: The timestamps of the original files in case of out-of-volume move weren’t changed at all. The only thing that changed in case of the command line moving and GUI-based CTRL-X CTRL-V methods were the value of the ‘Active’ flag. This flag was switched from ‘Active’ to ‘Inactive’ on the original volume when the files were moved to a different volume. This means the file is no longer present on that volume. In case of Drag and Drop the result was different and non-relevant because as I stated earlier Drag and Drop is functioning as a copy function if we try to move something out-of-volume.

5: Additional findings with the help of Win 7 Home Premium. I compared the results of two different Win 7 versions but both of them changed the same timestamps.


Result about the changes in a table:

The same results in 2 different tables for better visibility

How are the timestamps changing as a result of cut and paste?

One can see that a lot of timestamps are changing during the execution of this function. The new values after the command are pretty straightforward. In every situation the value of the timestamps which are changed is going to be the date and time of the move/paste.
There is only one scenario which contains a different timestamp change. In case we are moving a file inside the volume (the method and the OS doesn’t matter) the new value of the FN Info Entry date is going to be the previous (pre move) value of the Std Info Entry date instead of the usual move time.


SANS timestamp changes:

I compared it to the closest one. They are not exactly the same. The closest one from my test was the Ctrl-X Ctrl-V GUI-based method. SANS possibly used this method during its investigation (according to their whitepaper this was the used method: https://www.sans.org/reading- room/whitepapers/forensics/filesystem-timestamps-tick-36842).

CyberForensicator timestamp changes:

Again, I compared it to my closest one. In this case it was command line-based move command. One can notice that I could find a perfect fit for the out-of-volume copies but not for the in-volume ones.

According to my results the main numbering are not the only ones that counts in Windows, in case of investigation. Different versions and updates are important as well. My investigation is newer than the linked ones and the different timestamp changes might be the results of a newer function, a fresher version of Windows (this is just an assumption since I got the same results for an older Win7 Home as well).

For better visibility, this time I left out the detailed dates and times and only put the results and facts into the report.

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.