Pretty specific! This is what a natural file timestamp looks like. If you have a Windows command prompt handy, that’s Monday, Ap9:27:43 PM - to be specific, it’s 9:27:42 PM and 0.7452045 minutes, but it was rounded up. We saw above that NTFS timestamps are 64-bit values. An analyst can spot this kind of forgery by checking the nanosecond portion of the timestamp - it’s unlikely to be all zeros, unless it has been tampered with. These utilities have a lower precision for time values than the operating system would naturally use. Would you trust a file whose MFT entry’s modified time predates its creation time? Me neither: SELECT filename, path from ntfs_file_data where device=”\\.\PhysicalDrive0” and partition=2 and path=”/Users/Garret/Downloads” and fn_btime > ctime OR btime > ctime Example 2: Timestamp Missing Full PrecisionĪttackers can be lazy sometimes and timestomp a file with a built-in system utility. Perhaps the file-creation times are left alone, and thus match, but the last modified time was set to some earlier time to avoid detection. We can also look for other forms of timestamp inconsistency. To use osquery to find files in a directory whose timestamps don’t match, for example, I’d run the following: SELECT path,fn_btime,btime from ntfs_file_data where device=”\\.\PhysicalDrive0” and partition=3 and directory=”/Users/mmyers/Desktop/test_dir” and fn_btime != btime Done poorly, the $FN creation timestamp and $SI creation timestamp won’t match. The simplest example of a timestamp attack is to change the file-creation date to a time prior to incursion. Finally, directory entries in the MFT have an index attribute that stores a copy of the $FN attribute (including timestamps) for all files in that directory. The timestamps in the $FN attribute roughly correlate to interactions with the location and name of the file. The timestamps in the $SI attribute roughly correlate to interactions with the contents of the file. Standard files also have a $FILE_NAME ($FN) attribute that contains its own set of timestamps. One attribute – $STANDARD_INFORMATION ($SI) – stores a collection of timestamps. Every entry in the MFT contains a number of attributes that store metadata describing the file. The core element of NTFS is the Master File Table (MFT), which stores an entry for every single file on the system. To explain, we’ll have to explore some of NTFS’s structure. When it comes to covering up evidence in timestamps, NTFS is a little more complicated than other filesystems. “ Timestomping” is the common name for the anti-forensics tactic of destroying filesystem timestamp evidence of the attacker’s file modifications. They’re a common focus for both the attacker and the forensic analyst. File timestamps, if left unmodified, provide a great deal of information about the attacker’s timeline and behavior. Attackers who want to remain undetected for as long as possible need to clean up these traces. Identifying “Timestomping” AttacksĮvery interaction with a filesystem leaves a trace. Today, we’ll demonstrate some familiar real-world use-cases for forensic analysts interested in leveraging osquery in their incident response efforts. Previously, we announced and briefly introduced the features of the new NTFS forensics extension that we added to our osquery-extensions repository. We continued our collaboration with Crypsis, a security consulting company, to show some immediate scenarios where osquery comes in handy for forensic analysts. While osquery core is great for querying various system-level data remotely, forensics extensions will give it the ability to inspect to deeper-level data structures and metadata not even available to a user at a local system. Now another audience is discovering osquery: forensic analysts. Security threat hunters use it to find indicators of compromise on their systems. System administrators use osquery for endpoint telemetry and daily monitoring.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |