12 - Temporal Analysis

Question 1

What is NTFS?

Answer 1

NTFS (New Technology File System) é o sistema de ficheiros usado pelo Windows — desde o Windows NT, e atualmente em Windows 10, 11, Server, etc.

Question 2

How are files organized?

Answer 2

Files are chunked into clusters (akin to ExtX’s blocks)
- Cluster 0 starts at the beginning of the file system
- At the beginning of cluster 0 is the boot sector

Question 3

What is the central paradigm?

Answer 3

Central paradigm: Everything (everything!) is a file.
- Each byte of an NTFS file system belongs to a file
- File system data and meta data are located in files, too

Question 4

What is the Master File Table (MFT)?

Answer 4

One file to rule them all: The Master File Table (MFT).

In NTFS, information about all files and directories is contained in the
Master File Table (MFT):
- Every file and directory has at least one entry in MFT
- Entries are 1KB in size
- First 42 bytes is a header, the remaining bytes store attributes
- Attributes: small data structures with a specific purpose

Question 5

Where are the file contents stored in the NTFS?

Answer 5

Two cases:
1. Some small files can fit entirely within the MFT entry
2. Bigger files require allocation of extents
- Extents are contiguous clusters where file content is stored

Question 6

NTFS’s data structures are stored in (special) files!

Answer 6

NTFS stores metadata across several metadata files
- The MFT itself is a file system metadata file
- The first 16 MFT entries are reserved for these files
- Names of metadata files begin with $ and uppercase letters

Question 7

Does the TFK also support NTFS?

Answer 7

Yes!

Question 8

Steps in the file creation example.

Answer 8

1. Find an unallocated MTF entry for the new file (304)
2. Initialize the MFT entry 304 with basic attributes
3. Allocate two clusters in the $BITMAP file (692, 693)
4. To add a file name, first look up the root directory
5. Then, locate the dir1 index in the directory’s B-tree
6. Follow the entry address 200, and add index entry for file1.txt
7. In previous steps, add entries to journal

Question 9

Steps in the file deletion example.

Answer 9

1. Find the dir1 directory by processing the MFT entry 5,
   the root directory
2. Search for the file1.dat entry, whose address is 304
3. Remove the entry from the index of dir1
4. Unallocate MFT entry 304 by cleaning the in-use flag
5. Clusters of entry 304 unallocated in the $Bitmap file
6. In previous steps, add entries to journal

Question 10

$DATA and Alternate data streams.

Answer 10

In NTFS, every file has a $DATA attribute, which contains
the file content
- A file can have more than one $DATA attribute
- Additional attributes are named Alternate Data Streams (ADS)
- The default $DATA attribute does not have an associated
name associated; additional attributes must have one
E.g., normal.txt (default $DATA attribute)
E.g., normal.txt:my_ads_data.txt ($DATA attribute of an ADS)

Question 11

What are ADSes great for?

Answer 11

ADSes: great for hiding “files” inside “files”!
When you access a file using its default name you access the
file’s default $DATA attribute
But you can create multiple $DATA attributes in a single file

Examples:
- Create ADS streams to hide a text file and a picture:
hidden.txt > normal.txt:hidden.txt

Show the content of ADS streams:
notepad normal.txt:hidden.txt

Question 12

Detection of Alternate Data Streams.

Answer 12

• Windows 7: dir /r
• Other: Special Tools like lads.
• Using TSK (e.g. fls).

Question 13

For temporal analysis, we usually resort to timestamps. True or false?

Answer 13

True.

Question 14

Computer timekeeping (5 ways).

Answer 14

Real Time Clock (RTC)
- Battery powered; keeps time while computer is shut down
- Used as basis for determining time when computer boots
System clock
- SW clock set from the RTC at boot plus HW timer as oscillator
Network Time Protocol (NTP)
- Protocol for reliable synchronization of computer clocks
Network Identity and Time Zone (NITZ)
- Method to obtain time info from GSM network
Global Positioning System (GPS)
- Device sets its clock based on signals received from GPS system

Question 15

What is MACtimes?

Answer 15

MACtimes: three time attributes attached to any file or
directory in UNIX, Windows, and other systems:

• atime: Last time the file or directory was accessed
• mtime: changes when a file’s contents are modified
• ctime: keeps track of when the contents or meta-data about the
  file has changed: owner, group, file permissions, etc.

Sometimes this information is enriched with creation time.

M = Modified
A = Accessed
C = Changed
B = Created (Birthed)

Question 16

How reliable are timestamps? Timekeeping accuracy.

Answer 16

• System clock implementation
• Clock configuration
• Tampering
• Synchronization protocol
• Misinterpretation of timestamps
• Bugs in software

Question 17

What is clock skew?

Answer 17

The amount of time units (often seconds or milliseconds) by
which a clock deviates from the ‘real’ time.

Question 18

What are Unnormalized timestamps?

Answer 18

They represent timestamps taken in different time zones.

Question 19

How to detect clock skew?

Answer 19

Compare with the time of an NTP-synced computer
- When the device is still operational
Compare with external timestamps
- Generated outside the investigated device (e.g., call logs)

Question 20

Normalization of timestamps.

Answer 20

If timestamps of different time zones, translate them a common time zone, e.g., UTC.

Question 21

Are timestamps meant to be manipulated by the end user?

Answer 21

No, most are generated by OS (e.g., FS updates) and applications (e.g., email).

Question 22

What is timestomping?

Answer 22

Timestomping: technique that modifies the timestamps of a file (the modify, access, create, and change times):
- Typically performed using software tools (timestompers) that alter FS timestamps.

This is done by an adversary so that file accesses / modifications do not appear conspicuous to forensic investigators of file analysis tools.

Question 23

How to determine if timestompers have been used for anti-forensic purposes?

Answer 23

• After the timestamp manipulation, the updated creation timestamp has lost its resolution beyond seconds. Relies on the limitation of tools that are used to modify the timestamp; the timestamp resolution stops at second level and everything else (all the way
  to the last 100ns) is set to zero.
• Inconsistencies with other timing sources
  E.g., the Windows Event log if file creation/modification is audited

Question 24

In NTFS, timestamps are stored as …-byte file time values

Answer 24

8-byte.

Represent the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601.
- Consequently, NTFS timestamps have 100 nanosecond precision

Question 25

What is Digital stratigraphy?

Answer 25

Digital stratigraphy is a new sub-field emerging in digital forensics that studies file system traces and writing patterns to infer time-related facts. 1. Based on how data was overwritten The insight was based on knowledge on how the OS reallocates blocks of formerly deleted files and effect o slack space - Once deleted, these files form an underlying layer of time-related data upon which newer files are saved So, even if we do not have timestamp info about B, but we have about A, then we can still say that B is likely more recent than A; But this principle can be more broadly applied, e.g., layers preserved after disk formatting: - A computer running Linux was found with numerous Windows files in unallocated space that contain hardware specific info (e.g., NIC address) -> Likely, the computer was running Windows before 2. Based on data positioning The OS will typically try to find contiguous blocks but in this case the above will occur: fragmentation. So, even if we do not have timestamp info about neither of files, we may likely infer that B is likely more recent than A. (Porque o B foi dividido e o A está no meio). The insight was based on knowledge on how the OS allocates blocks to files and effect o fragmentation: - Two pieces of a file located in blocks on either side of a large, contiguous file - Likely, the contiguous file is older - Important note: these techniques are not infalible because that there might be other effects taking place - Thus, it is always important to look for other potential sources for supporting or dispelling these hypothesis

Question 26

Does NTFS provide the capability for attribute contents to be encrypted?

Answer 26

Yes, in theory, any attribute could be encrypted, but Windows allows only $DATA attributes to be encrypted. - When an attribute is encrypted, only the content is encrypted and the attribute header is not - A $LOGGED_UTILITY_STREAM attribute is created for the file; it contains the (encrypted) keys needed to decrypt the data