SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Windows 7 MFT Entry Timestamp Properties

Windows 7 MFT Entry Times

I have been doing some research on and off for the past week or so on what updates an MFT Entries time value properties in $STDINFO and $FILENAME. I am hoping for someone to provide me feedback if you get similar results. Also, what are the results for XP and VISTA. Both should be checked.

To get started, here is my breakdown of what I have observed. I wouldn't go use this in official reports yet, but this is a first stab at generating discussion and sharing on what you see on your systems. Please email me at rlee at if you find anything to update as a result of this graph. Id like to create a separate one for XP and VISTA too.

Understanding *NIX File Linking (ln)

The "ln" command is an important tool in any Unix admin's arsenal and attackers use it too, so it is essential that forensics analysts understand it. It is used to either:

  1. Create a link to a target file with a selected name.
  2. Create a link to a target file in the current directory.
  3. Create links to each target in a directory.

The "ln" command will by default produce hard links. Symbolic links are created with the "-symbolic" option set (or "-s"). In order to create a hard link; the target file has to exist. The primary formats of the commands are:

  • ln [OPTION]... [-T]
  • ln [OPTION]...
  • ln [OPTION]... -t

Some malicious uses of ln are in hiding files, though perhaps not very well, and creating subterfuge by wrapping legitimate programs. The "ln" command need not

... Continue reading Understanding *NIX File Linking (ln)

Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community.



OpenSaveMRU and LastVisitedMRU

Talking with a colleague the other day reminded me of just how nuanced many of the forensic artifacts are that we rely upon. Nowhere is this more true than in the Windows Registry. With no specification and even Microsoft products not following any data storage methodology, it is about as haphazard and irregular as they come. As an example, let's look at the OpenRunSaveMRU and LastVisitedMRU Registry keys. Both have been documented for years and are frequently cited in examinations. That being said, I would bet many examiners have not investigated the keys deeply enough to understand everything they are telling us. Here is a quick rundown on what we can glean from these keys.


In simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and

... Continue reading OpenSaveMRU and LastVisitedMRU

Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst's workstation via firewire, USB, or eSATA. The unit is compatible with Logicube's Dossier imager and Logicube's second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I've not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be

... Continue reading Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt