TaiwanHolyHigh - Windows Forensics - $MFT 基本實作

Posted on | Post modified | In |

TaiwanHolyHigh - Windows Forensics - $MFT 基本實作

以下引用若無特別說明皆來自於講師的上課簡報

Background

  • $MFT儲存的內容
    1. Status: SO=22, LE=2,也就是目前此檔案的狀態,分為以下四種
      • 0000: Delete File
      • 0100: File
      • 0200: Delete Folder
      • 0300: Folder
    2. $MFT Record(File Identify/Location): SO=44, LE=4,也就是此檔案在record在$MFT的位置在哪邊
    3. Timestamp
      • Standard Info: SO=80, LE=32(Creat+Modified+$MFT Modified+Access),很容易就可以更改,如果要更改,可以參考New Filetime這個工具
      • Filename: SO=184, LE=32(Creat+Modified+$MFT Modified+Access) 很難被更改(但還是可以更改)
    4. Resident / non-Resident File 下一篇詳細說明

以下三個練習都是Resident File

Lab - Offset 43110400(d)

  • $MFT長度一段就是1024 Bytes,我把結束的位址減掉開頭的位置就知道了,或是可以直接用HxD底下看長度(0x400) 
    1
    2
      >>> 0x291D400-0x291D000
  1024
  • 從上圖也可以看到magical word就是FILE046 49 4C 45 30

Overview(從上到下)

  • Staus: 01 00 → File
  • 04 00 00 00是固定的
  • $MFT Record: 74 A4先轉換endian然後變十進位,在乘以1024就會是目前此檔案的開頭位址 
    1
    2
    3
    4
      >>> mft_record = '74 A4'
  >>> mft_record = int("".join(mft_record.split(' ')[::-1]), 16)
  >>> hex(mft_record * 1024)
  '0x291d000'
  • 48 00 00 00 18 00 00 00是固定的

  • Standard Info Timestamp

    此部分可以用之前的script換算

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
      >>> import datetime
  >>> def ad_timestamp(timestamp):
  ...     if timestamp != 0:
  ...         return datetime.datetime(1601, 1, 1) + datetime.timedelta(seconds=timestamp/10000000)
  ...     return np.nan
  ...
  >>> create_time = '8D 6C AD E4 B5 BD CB 01'
  >>> create_time = int("".join(create_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(create_time)
  datetime.datetime(2011, 1, 27, 0, 5, 23, 349211)
  >>> modify_time = '00 DE 13 B1 09 92 C9 01'
  >>> modify_time = int("".join(modify_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(modify_time)
  datetime.datetime(2009, 2, 18, 20, 44, 28)
  >>> mft_modify = 'E7 CE AF E4 B5 BD CB 01'
  >>> mft_modify = int("".join(mft_modify.split(' ')[::-1]), 16)
  >>> ad_timestamp(mft_modify)
  datetime.datetime(2011, 1, 27, 0, 5, 23, 364836)
  >>> access_time = '00 DE 13 B1 09 92 C9 01'
  >>> access_time = int("".join(access_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(access_time)
  datetime.datetime(2009, 2, 18, 20, 44, 28)
    • Create: 2011, 1, 27, 0, 5, 23, 349211
    • Modify: 2009, 2, 18, 20, 44, 28
    • $MFT: 2011, 1, 27, 0, 5, 23, 364836
    • Access: 2009, 2, 18, 20, 44, 28
  • Filename Timestamp 
    1
    2
    3
    4
      >>> filename = '8D 6C AD E4 B5 BD CB 01'
  >>> filename = int("".join(filename.split(' ')[::-1]), 16)
  >>> ad_timestamp(filename)
  datetime.datetime(2011, 1, 27, 0, 5, 23, 349211)

    Filename Timestamp都是2011, 1, 27, 0, 5, 23, 349211,和前面的create time相同

Lab - Offset 43208704(d)

  • Staus: 01 00 → File
  • $MFT Record: D4 A4 
    1
    2
      >>> hex(int("".join('d4 a4'.split(' ')[::-1]), 16) * 1024)
  '0x2935000'
  • Standard Info Timestamp 
    1
    2
    3
    4
    5
    6
    7
    8
      >>> create_time = 'E3 8D 30 E5 B5 BD CB 01'
  >>> create_time = int("".join(create_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(create_time)
  datetime.datetime(2011, 1, 27, 0, 5, 24, 208586)
  >>> modify_time = '00 99 75 C2 57 7A C9 01'
  >>> modify_time = int("".join(modify_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(modify_time)
  datetime.datetime(2009, 1, 19, 17, 2, 50)

    Create Time = $MFT Modify Time = 2011, 1, 27, 0, 5, 24, 208586 Modify Time = Access Time = 2009, 1, 19, 17, 2, 50

  • Filename Timestamp

    Filename Time = Create Time = 2011, 1, 27, 0, 5, 24, 208586

Lab - Offset 53550080(d)

  • Staus: 01 00 → File
  • $MFT Record: 47 CC 
    1
    2
      >>> hex(int("".join('47 CC'.split(' ')[::-1]), 16) * 1024)
  '0x3311c00'

  • Standard Info Timestamp

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
      >>> create_time = '1D 3F 6E F8 B3 C0 CB 01'
  >>> create_time = int("".join(create_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(create_time)
  datetime.datetime(2011, 1, 30, 19, 29, 10, 984476)
  >>> modify_time = '00 6E A6 FC D2 E0 CA 01'
  >>> modify_time = int("".join(modify_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(modify_time)
  datetime.datetime(2010, 4, 20, 21, 46, 52)
  >>> mft_modify = '77 A1 70 F8 B3 C0 CB 01'
  >>> mft_modify = int("".join(mft_modify.split(' ')[::-1]), 16)
  >>> ad_timestamp(mft_modify)
  datetime.datetime(2011, 1, 30, 19, 29, 11, 101)
  >>> access_time = '1D 3F 6E F8 B3 C0 CB 01'
  >>> access_time = int("".join(access_time.split(' ')[::-1]), 16)
  >>> ad_timestamp(access_time)
  datetime.datetime(2011, 1, 30, 19, 29, 10, 984476)
    • Create Time = Access Time = 2011, 1, 30, 19, 29, 10, 984476
    • Modify Time = 2010, 4, 20, 21, 46, 52
    • $MFT Modify Time = 2011, 1, 30, 19, 29, 11, 101
  • Filename Timestamp
    • Create Time = $MFT Modify Time = Access Time = 2011, 1, 30, 19, 29, 10, 984476
    • Modify Time = 2010, 4, 20, 21, 46, 52