MFT

Common MFT Records

MFT Entry Structure

DFIR-01 : $MFT | Cyb3rSn0rlaxwww.unh4ck.com

NTFS Timestamps | Forensicistwww.kazamiya.net

Difference between $SI and $FN

MFT Artifact | Forensicistwww.kazamiya.net

Parsing:

#Parse $MFT and output body
MFTECmd.exe -f "E:\C\$MFT" --body "G:\timeline" --bodyf baserd01-mftecmd.body --blf --bdl C:

#Mactime it for MCAB timestamp editing
mactime -z UTC -y -d -b /mnt/g//timeline/baserd01-mftecmd.body 2018-08-23..2018-09-07 > /mnt/
g/timeline/baserd01-timeline.csv

#Grep out common timeline noise to filter output.
grep -v -i -f /mnt/g/precooked/timeline/timeline_noise.txt baserd01-timeline.csv > baserd01-final.csv

Considerations:

• How long does this artifact last?

How NTFS Works: Local File SystemsMicrosoftLearn

NTFS File Record Attributes

Investigating:

Recent/LNKs:

Creation of LNKs in recents indicates user GUI interaction. Look for birth timestamps for possible initial execution and modify timestamps for re-run.

Prefetch Birth/Modification

• Prefetch birth indicates initial execution

• Prefetch modification indicates multiple executions.

Can be used to show lots of sneaky execution. In this case, rdpclip was modified - indicating possible RDP activity on the host.

Rdpclip

Psexec Execution

Psexec modifies the $DATA and $INDEX of the file every time it runs. Looking for modification timestamps of psexec in $MFT could indicate re-running the executable.

User Logon

Look for initial user folder creation for indicators of an interactive logon.

Alternatively could be the result of the user's first network logon with the following:

• Psexec without specifying "-e" = Does not load the specified account’s profile.

• PS remoting session without "-NoMachineProfile"

Anti-Forensics:

• Timestomping

Defence Evasion Technique: Timestomping Detection – NTFS Forensicswww.inversecos.com