Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Windows 7 MFT Entry Timestamp Properties

I have been doing some research on and off for the past week or so on what updates an MFT Entries time value properties in $STDINFO and $FILENAME.

 

Rob has over a decade of experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute and lead author for FOR408 Computer Forensic Essentials and FOR508 Computer Forensics Investigations and Incident Response.

6 Comments

Posted April 13, 2010 at 8:29 AM | Permalink | Reply

Bradley Schatz

Rob,
You might want to check out the following paper's methodology and results [1]. That and add cut and paste as an alternative volume move option. We defintely need a more thorough summary of the affects of user activity on timestamps. Well done pushing the cart forward.

Bradley

[1] http://forensic.or.kr/category/Paper

Posted April 13, 2010 at 10:54 AM | Permalink | Reply

Anders Thulin

Since the chart does not seem to mention it, am I right in assuming that these finding apply to files, directories, and other file system entry types equally?

Posted April 29, 2010 at 9:20 PM | Permalink | Reply

Matas Bevilacqua

Hi Rob, you want to add to you study one special case where a file with the same name already exists on the destination. That one's wierd as you'll see.
Good job.

Posted May 01, 2010 at 9:13 AM | Permalink | Reply

A. Thulin

... and as I revisit, it strikes me that although the test results are of some value (though additional documentation is needed), theree is also considerable value in the actual test protocol: exactly how were the operatons implemented? File system browser, command line, script method, API call, etc.

This would ensure that a similar test could be performed on a different NTFS implementation, and still remain be to compare with previous tests conducted under the same protocol.

Posted July 22, 2010 at 6:36 PM | Permalink | Reply

Greg Freemyer

If you're still pursuing this, a couple more scenarios I wonder about are: defrag, and xattr updates.

My belief is defrag updates the MFT modified date of files that are relocated. I have no idea what timestamps are updated by extended attribute updates.

I also assume ADS files (alternate data streams) have their own set of timestamps, so those on the main file are not impacted by activity on the ADS files.

Posted November 21, 2012 at 3:26 PM | Permalink | Reply

John McCash

Greg - Actually, there are no additional timestamps for ADS. Alternate Data Streams are implemented as additional 'named' data attributes. They don't have their own associated filename attributes, but the name by which the ADS is known is tacked on as small header at the beginning of the stream's data.
John

Post a Comment






* Indicates a required field.