MACB Timestamps and $I30in NTFS File Systems

MACB TimeStamps and $I30 (NTFS)

forensicsWiki- useful for basic information on everything

M=Modification

A=Access

C= MFT record change

B= Birth (creation of file)

Note; NTFS is one of the only file systems to record the birth- when the file was created

These are stored in $MFT

$SI – Standard Information

$FN – Filename

Both contain these attributes- they are found within the MFT

$FN- only modifiable by Windows Kernel- meaning that it will have a different comparison to $SI

So anti-forensics such as Time Stomp will impact Standard Information, not Filename

Windows 10 demo VM (Courtesy of 13cubed)

A file is created at 1:40 am, its MAB are all the same- 1:40am

When changed and saved at 1:41am the modification will be change but nothing else

Referring to the table above, this is because:

However, we did access it, so why did it not change?

This is because of a registry key

This means date access time stamps are  not tracked- it is updated under only certain circumstances

If we were to copy this file at 1:43am, then both the access and birth would change, but not the modification.

Note; in a forensic investigation, if we see a file that has a modification which is dated before creation we know
that copying has occurred.

Example: Jane has been under investigation for copying sensitive information to her laptop, which runs on the
NTFS file system. In her recent documents are a few documents with random names; their access date is that
of five minutes ago, yet the medication date matches that of the files in question.

Time stomp

Pre-fetch, look for timestomp- we can see it’s access and creation time.

Note;

The modification is after the creation and access; this tells up the program has been run atleast twice- which
enough to argue against it being an accident

Remember- timestomp impacts the $SI but not $FN

In command line, using it you can change the MACB times to whatever you want

Analyse MFT-

will fully parse the MFT and present in in multiple formats, including MFT.

This will be covered more next week.

But it should end up looking as such:

Note; must take time zones in to account

Looking at the bottom- it is very clear that time stamping has occurred.

Index Attribute- $I30

Critical to understand, It is the index of the files in a directory- it contains all the MACB timestamps of these.

This is a duplicate of the $FN stamps.

Any given $I30 index file includes:

Full file name

Parent directory

MACB timestamps (duplicate of $FN)

Size- physical and logical size

Note; evidence of deleted or overwritten files may be present within the slack of the $I30 file

How to get these?

INDXParse

But before that: how do we find an index file if we just have hex infront of us:

49 4E 44 58

These represent an index file

Situation

We have an $I30 file which we want to explore it a bit further

We save the file and then use a program called INDXParse.py which can scan the slack space to look for
$I30 information about deleted  files.

A successful result will look like this

So we can now see even more information about the file.

A tutorial will be available on both the MFTanalyzer and INDXParser with examples next week.