Windows MACB Timestamps (NTFS Forensics)

preview_player
Показать описание
As a continuation of the "Introduction to Windows Forensics" series, this video introduces the concept of MACB (modification, access, MFT record change, birth/creation) timestamps associated with files on NTFS volumes. We will first cover the basics of MACB timestamps and the differences between the $STANDARD_INFORMATION and $FILE_NAME attributes; secondly, we will look at normal timestamp behavior on a Windows 10 system when creating, modifying, copying, and accessing files; next, we will use an anti-forensics tool known as “Timestomp” to modify a file’s MACB (MACE) timestamps; then we’ll use a tool called analyzeMFT to find evidence of timestomping; lastly, we’ll take a look at something interesting I recently discovered with regards to how these timestamps work when using the new Bash on Windows (Windows Subsystem for Linux) feature.

Introduction to Windows Forensics:

MAC Times:

I’m Your MAC(b) Daddy:

Timestomp:

analyzeMFT:

Digital Forensics: Detecting Time Stamp Manipulation:

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
  1. 13Cubed
  2. MACB timestamps
  3. MACB time stamps
  4. MACE timestamps
  5. MACE time stamps
  6. NTFS file times
Рекомендации по теме
Windows MACB Timestamps 0:28:09

Windows MACB Timestamps (NTFS Forensics)

DFIR in 120 0:02:36

DFIR in 120 Seconds - NTFS Timestamps (MACB)

Anatomy of an 0:11:45

Anatomy of an NTFS FILE Record - Windows File System Forensics

Windows NTFS Index 0:13:14

Windows NTFS Index Attributes ($I30 Files)

Windows Timestamp - 0:00:57

Windows Timestamp - Forensic Practical Example

It's About Time 0:15:56

It's About Time - Timestamp Changes in Windows 11

NTFS Journal Forensics 0:14:21

NTFS Journal Forensics

Introduction to MFTECmd 0:22:02

Introduction to MFTECmd - NTFS MFT and Journal Forensics

A Systematic Approach 0:28:55

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

How can I 0:02:25

How can I display all 8 NTFS timestamps?

How Many Timestamps??? 0:00:42

How Many Timestamps??? #Shorts

Processing the $Boot 0:09:14

Processing the $Boot File | NTFS Tutorial | eForensics Magazine

Hiding Data Using 0:06:30

Hiding Data Using NTFS Alternate Data Streams (Defence Evasion)

1025 30 0:02:21

1025 30 Windows Forensics Date Time Lab Computer and Hacking Forensics

Windows SRUM Forensics 0:19:05

Windows SRUM Forensics

File System Tunneling 0:08:03

File System Tunneling | NTFS Forensics Tutorial | eForensics Magazine

Let's Talk About 0:10:52

Let's Talk About NTFS Index Attributes

NTFS and MFT 0:34:32

NTFS and MFT

MAC Times, Mac 0:26:25

MAC Times, Mac Times, and More - SANS Digital Forensics & Incident Response Summit 2017

Analysis of the 0:01:11

Analysis of the Windows 10 Timeline

Defrag NTFS $LogFile 0:02:21

Defrag NTFS $LogFile (2 Solutions!!)

How to check 0:02:29

How to check all timestamps of a file? (2 Solutions!!)

TR19: Beyond Windows 0:52:30

TR19: Beyond Windows Forensics with Built-in Microsoft Tooling

DFIR in 120 0:02:10

DFIR in 120 seconds - Prefetch

Комментарии
Автор

I really appreciate how well you explain the content to the least common denominator (me).

brentbott
Автор

I passed my GCFA yesterday due to this video and your others! Tough test, but your content really helped. Just became a patron - thanks for what you do!

vero
Автор

This is really a very informative video.. all you need to know about the title and new discovery. Thank you for the efforts in putting it all together.

beb
Автор

I've begun watching your videos recently and they're extremely useful! Thanks a lot

travelmore
Автор

You can use the Linux „stat“ command to see file Attributes, it will show birth time for some filesystems as well. (%w Format String)

berndeckenfels
Автор

Thank you so much! I am working on my GCFE and these videos are helping me alot. 🙏

packy
Автор

Thank you so much for the explanation :)

krithikaramakrishnan
Автор

Great job on the content. This helped reinforce some of the learning material from SANS 508. Keep up the great videos!

anthonyc
Автор

Great Job, Awesome content, perfect flow..you never let audience sleep..keep it up...I will wait for more new videos

PradeepSharma-ytik
Автор

You are a great teacher!

Regarding the copy on bash, I'd assume that it's not calling the native OS function to copy, but rather it is scripted internally, so it creates a new file, possibly forgetting to set the timestamps later (as it is in beta).
Now things may have changed, but I don't know really, as I don't use bash.

RandomNullpointer
Автор

I have Win 10 22H2 and it appears that when I modify a file, the Accessed time is also changing. Wondering if the default changed in the recent versions.

dewy
Автор

Great Video sir! Thanks for sharing :-)

Mack
Автор

Hello @13Cubled I have tried to change file content and i observed there is modification and access time stamp is change. as per your video access time stamp is not changes. and my drive type is NTFS as well.

MrSanjay
Автор

It's likely that the bash program copies quite literally by redirecting the output of the file into a new file. So it creates a file, and then copies all the data into it.

TheSkepticSkwerl
Автор

Date Accessed has been updated. I tried this in Windows 10 and it updated along with the modification date.

stagesnake
Автор

Would be interesting if you will make a video about Steganography and Cryptography.

PavloDeneka_
Автор

IT would also be great to do a SANS SIFT Video

modogg
Автор

the timestomp tool isnt out there anymore ?

miss_tech
Автор

NTFS says that $Filename attribute timestamps will be changed if file renaming happens. But according to SANS table timestamps rules (file rename column) there is no modification of any $FN timestamps, why its so?

kasperkasper
Автор

Thanks it was a good video.


Just a thought, maybe adding '-p' to the bash cp command will preserve the timestamps. This is how it works on Linux.

kazdaman
visit shbcf.ru