Saturday, January 22, 2011

Fun and games with Windows FILETIME and how to efficiently detect timestamp alterations

A student recently asked me some fairly specific questions on how to manually calculate the FILETIME value for a specific date. For the purposes of learning, we went through the manual process of taking a specific date and then calculating the equivalent FILETIME value, not something I recommend.

During the long manual calculation, it reminded me how precise the FILETIME timestamp value is that is used on NTFS volumes. Lets review what the FILETIME value on NTFS consists of. The FILETIME value represents the number of 100-nanosecond intervals that have transpired since January 01, 1601 at 00:00:00 GMT. To put this into perspective, there are 10,000,000 100-nanosecond intervals in one second. If a person creates a file on January 01, 1601 at 00:00:01hrs, then the value stored on disk will be 0x989680 (10,000,000 decimal). That is extremely precise and I think most of us are aware of this precision, but forget about it since we never see a timestamp displayed in our tool of choice, with that amount of precision.

During my discussion with the student and manually converting the dates on paper, it struck me that there really isn't a forensic tool to show the fraction of a second time value. I then suddenly realized that there also isn't a hacker tool that lets the user specify a fraction of a second when modifying a file's timestamp. All the tools I have seen (filetime.exe, timestomp.exe, etc..) in the past only allows the user to specify a time down to a one-second granularity.

What does all this geek speak mean? Well, if a time manipulation tool was used, then that means the precise FILETIME value that is stored has to be divisible by 10,000,000 (one second) since it is not storing a time value that includes a fraction of one second.

This past week I finally got around to writing an EnScript to manually parse the MFT, since I cannot use the values EnCase shows since they only show a 1-second granularity. Once I was done, I modified a file using a common timestamp manipulation tool and then ran the EnScript against an evidence file with over 100,000 files.

The result? over 25,000 files had at least one timestamp that used a value that was precise only to a second, but no fraction as I expected. After a little thinking, I realized that a file that was once on a FAT partition and then copied to an NTFS partition would not have the precision timestamp normally used by NTFS since FAT is not that precise. After a quick test by taking a file and then copying it from a FAT32 partition to a NTFS partition, I confirmed that the date fields that are passed to the new volume were in fact accurate only to the second. But, I also saw some of the other timestamps, like the created date/time used the exact time the file was created on the NTFS volume when the file was copied and that it used the typical precise FILETIME timestamp.

After a little modification of the EnScript to look and compare multiple timestamp values and a quick run against the same 100,000 file evidence, four files were quickly isolated as being modified. One was the file I modified and three others appeared to be part of a specific application that had been installed with no relation to the file I modified. After manually looking at the MFT record for those other three files, I cannot explain why those specific files have only a one-second resolution timestamp, but there must have been some type of copy process used that lost the precision that is typically used.

The point of this blog post is to discuss and point out that an examiner should be familiar how the time values are stored on NTFS volumes AND the need to examine these dates manually, since many of the common forensic tools do not display the dates with any precision beyond one second, when there is any suspicion of tampering.

Simple Forensic Puzzle #1

I recently had a need to make some simple forensic images for use with students. I decided to make one with some simple "anomalies" in hopes the students would pick up on them. So I figured I would share them and let others take a look to help refresh some foundational examination techniques.

The image linked below if fairly simple. A few files, not much more. But there are a few "anomalies" that should be detected and noted.

Download .E01 image here

Thursday, January 20, 2011

EnScript to parse LNK files into Excel - sortable on timestamps

The EnCase "Case Processor" EnScript includes a Link File Parser module that work fine, but does not produce a very efficient report. For example, if you want to quickly see all the LNK files that refer to object on removable media, you have to read through all the entries to find one that may be on a removable device. Also, there is no way to sort the data by the timestamps contained in the LNK file to build a timeline.

I wrote this EnScript several months ago for a specific need I had back then, but never had a chance to post it.

This EnScript requires Microsoft Excel be installed and it will parse all the LNK files in the case (no need to select). The data will be sent to Excel and a spreadsheet will automatically open, displaying the data. You can then easily sort on any field and quickly see the properties of each Link file.

Download Here

Wednesday, January 5, 2011

2010 Pageview summary

It only goes back to May 2010, but there are some interesting stats.


(you gotta love flipboard :)

Customized EnCase EnScript Programming course, Feb 07-10, 2011, Veenendaal, Netherlands

Happy New Year!

I will be conducting a customized EnCase EnScript training course February 07 to February 10, 2011 in Veenendaal, Netherlands.

This course will present customized curriculum and was specifically written for investigators with no programming experience. We will spend most of the time discussing the commonly needed/used functions to edit, customize and write your own EnScripts to do the most common actions, i.e. finding files that match certain criteria, bookmarking, exporting, generating reports, database access, etc. 

Students are encouraged to bring their own EnScript ideas to work on as projects in a mentoring type environment. They are also welcome to bring any current EnScripts they want to edit or modify to fit their specific needs.

If you are in that area or are looking to take a nice vacation coupled with a great training class, you can get more information here:

There is one on the Dutch section:

And one on the English section:

DataExpert B.V.
Vendelier 65
3905 PD Veenendaal
The Netherlands

Hope to see you there!

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles