This document provides an overview of analyzing the Windows NTFS file system for digital forensics investigations. It discusses the Master File Table (MFT) structure, how it tracks file metadata including timestamps, and how to recover deleted files. Tools for examining the MFT such as Velociraptor and WinHex are presented. Other Windows artifacts covered include Prefetch files, event logs, scheduled tasks, and volume shadow copies. The document provides technical details on these elements to help explain how Windows tracks files and how this data can be used for investigations.

1. CNIT 152:
Incident
Response
64
12 Investigating Windows System
s
(Part 1) Updated 10-28-21

2. Ch 12 Part 1

3. Ch 12 Part 2
Ch 12 Part 3

4. NTFS and File System
Analysis

5. NTFS and FAT
• FAT was the old
fi
le system used by MS-DOS,
Windows 95, Windows 9
8
• NTFS was the replacement

6. Master File Table
(MFT)
• De
fi
nes how disk space is allocated and
utilize
d
• How
fi
les are created and delete
d
• How metadata is stored and updated

7. MFT Contents
• Primary source of metadata in NTF
S
• Contains or references everything about a
fi
l
e
• Timestamp
s
• Siz
e
• Attributes (such as permissions
)
• Parent director
y
• Contents

8. The Evidence
• Each NTFS volume has its own MF
T
• Stored in the volume root as a
fi
le named $MF
T
• You need raw disk access to acquire $MF
T
• It's not accessible through Windows Explorer
or standard API calls

9. $MFT in
Velociraptor

10. MFT Structure
• On a standard hard drive with 512-byte
sector
s
• A series of 1024-byte records or "entries
"
• One for each
fi
le and directory on a
volum
e
• First 16 entries are reserved for essential
NTFS artifact
s
• $MFT itself, $LogFile, and more

11. MFT in WinHex

12. MFT Entry Contents
• Record type (
fi
le or directory
)
• Record # (integer
)
• Parent record
#
• Active/Inactive
fl
a
g
• Deleted
fi
les are inactiv
e
• Attributes (metadata)

13. Attributes
• $STANDARD_INFORMATIO
N
• $FILE_NAM
E
• $DATA

14. MFT Records in Velociraptor
and Deleted File Recovery

15. Deleted Files
• Deleting a
fi
le causes its MFT record to be marked
"inactive
"
• Nothing else is changed, until this record is re-
use
d
• The
fi
le's contents and its metadata can be
recovere
d
• But NTFS will always re-use an existing MFT entry
before creating a new on
e
• So inactive entries only last for seconds or
minutes on the operating system volume

16. Timestamps
• MACE timestamp
s
• Modi
fi
ed, Accessed, Created, Entry Modi
fi
e
d
• An MFT entry will always have at least two
sets of attributes containing MACE
timestamp
s
• STANDARD_INFORMATION (also known as
$SIA or $SI
)
• FileName (also known as FNA, FILE_NAME,
or $FN)

17. •These are Standard
Information ($SI)
timestamp
s
•Create
d
•Accesse
d
•Modi
fi
e
d
•Entry Modi
fi
ed
timestamp not
visible in Windows
Explore
r
•Forensic tools like
SleuthKit, EnCase,
and FTK show it

18. MACE Timestamps

19. Accessed Timestamp
• Versions of Windows after Windows XP no
longer update the Accessed timestamp by
defaul
t
• It can be enabled with a registry change, but
even when it's enabled, NTFS may delay
updates by up to an hou
r
• Link Ch 12a

20. $FN Timestamps
• Refer to the MFT entry for the
fi
lename itsel
f
• NTFS actually maintains multiple sets of
fi
le
name attribute
s
• Full, case-sensitive long
fi
lenam
e
• MS-DOS 8.3 short
fi
le name

21. Time-Stomping
• Only the $SI timestamps are available to user
applications through the Windows AP
I
• Programs can only alter those timestamp
s
• A processes called "time-stomping
"
• Setmace can alter all the timestamps (link Ch
12b
)
• Malware droppers and installers often
automate this process, inserting timestamps
from system
fi
les to hide in the timeline

22. $SI and $FN Timestamps
• $SI timestamps are easily altere
d
• $FN timestamps require a complex and indirect
process to modif
y
• Inconsistencies may remain between the $SI
and $FN timestamps

24. • Link Ch 12c

25. Ch 12a-1

26. Data Runs
• $DATA attribute lists all clusters with the
fi
le's
content
s
• May not be contiguous (fragmented
fi
le
)
• Lists "data runs" that must be assembled
together to get the complete
fi
le

27. Resident Data
• MFT entry contains 1024 byte
s
• That's enough room to store complete data for
small
fi
les (up to 700 or 800 bytes) in the MF
T
• These are called "Resident
fi
les"
• Set the Resident
fl
ag in the MFT entry

28. MFT Slack Space
• MFT may contain leftovers from previously
resident dat
a
• This happens if a
fi
le was small enough to be
resident and then expanded to be too large to
remain resident

29. Alternate Data Streams
• Additional named $DATA attributes in a
fi
le's
MFT entr
y
• Each can point to an unique set of cluster run
s
• All the data streams share the same Standard
Information and Filename attribute
s
• So they all share the same timestamps

31. Known Alternate Stream
Names
• Browsers append a stream to downloaded
fi
le
s
• Named Zone.Identi
fi
e
r
• Windows Explorer uses this data to determine
the origin of a
fi
le and enforce security controls
on i
t
• Link Ch 12c

34. MFT Analysis Tools

35. INDX Attributes
• Used to make
fi
le searches faste
r
• Often contains metadata from deleted
fi
le
s
• Links Ch 12h, 12i

36. Ch 12a-2

37. Change Logs
• $LogFile tracks all transactions that change the
structure of a volum
e
• File or directory creation/copy/delet
e
• Changes to
fi
le metadata or INDX record
s
• $UsnJrnl (Update Sequence Number) journa
l
• Tracks less data but has a longer history

38. Volume Shadow Copies
• Automatically generated backups of Windows
fi
le
s
• Manage with the vssadmin and mklink
command-line tools (link Ch 12k)

40. Shadow Copy
• A mirror of the volume's entire
fi
le system at the
time of the snapsho
t
• Available within the linked director
y
• Other tools:

41. Shadow Copies in
Velociraptor

42. File System Redirector
• Windows 32-bit on Windows 64-bit (WoW64
)
• Redirects some folders elsewhere when 32-bit
programs run on 64-bit Windows, lik
e
• %SYSTEMROOT%system32 redirects to
C:WindowsSysWOW6
4
• 32-bit tools may not see the whole
fi
le system

43. Windows Prefetch

44. C:WindowsPrefetch
Contains
• NTOSBOOT-BooDFAAD.pf (system boot
prefetch) -- only
fi
le existing on Windows Server
by defaul
t
• Layout.ini (for disk defragmenter
)
• Appname-########.pf (up to 128 application-
speci
fi
c prefetch
fi
les)

45. Value
• A record of programs executed on a syste
m
• Even if the executable has been delete
d
• Shows when application was
fi
rst run, when it
most recently ran, and how many times it was
ru
n
• Also shows each component loaded

46. WinPrefetchView
• Link Ch 12l

47. Prefetch in Velociraptor

48. Event Logs

49. Event Logs Enable these
Tasks

50. Types of Logs
• Core event logs in all Windows version
s
• Applicatio
n
• Errors and info from apps; antivirus and host-
based IPS log
s
• Syste
m
• Events from core Windows services; changes
in time, driver loads, network con
fi
guration
issue
s
• Securit
y
• Login and logoff attempts, changes to audit
policy

51. Acquiring Logs
• Log
fi
le locations are speci
fi
ed in this Registry
key:
HKLMSYSTEMCurrentControlSetServicesEventl
o
g
• For Vista and later, the logs are in these XML
fi
les:

52. Applications and Services
Logs
• EVTX
fi
les in %SYSTEMROOT%
System32WinevtLogs
• Logs for Task scheduler, Windows Firewall,
AppLocker, Terminal Services, User Access
Control

53. Event ID
• Each event is labelled with its Source and Event
ID numbe
r
• Good resource: eventid.ne
t
• Vista and later often have EventIDs that are 4096
larger than the EventID from Windows XP

54. Logon Events

55. From
Event
Viewer

57. Fields

58. Lateral Movement
• Attackers use stolen credentials to move from
system to syste
m
• Often use a common administrator accoun
t
• Or a domain or domain administrator account

59. Example

60. In Command Shell as ACMEEve

61. Events Logged

62. Changes to Accounts and
Security Settings: Security Logs

63. Process Auditing
• Not on by defaul
t
• Turn it on in local audit policy or Group Polic
y
• Puts an event in the Security log every time a
process is executed or terminate
d
• Generates a lot of log events

64. Service Events
• System logs record every time a service starts
or stop
s
• A common persistence mechanism for malware

65. Logs for PsExec

66. Suspicious Things
• Abnormal usernames using PsExe
c
• Known-bad service name
s
• Errors from malicious binaries that were
deleted, but still referenced by a service

67. Log Analysis Tips
• Check Application log for AV alert during period
of interes
t
• Increase log
fi
le sizes to retain a longer histor
y
• If log
fi
les in the old binary format are corrupt,
use FixEVT (link Ch 12m)

68. Tools

69. Sysmon in Velociraptor

70. Event Logs in Velociraptor

71. Scheduled Tasks

72. The "at" Command
• Requires administrator privilege
s
• Uses local tim
e
• Run as SYSTEM

73. The "schtasks" Command
• More complex forma
t
• Rarely used by attackers

74. .job Files
• Con
fi
guration data for scheduled task
s
• One
fi
le per tas
k
• In %SYSTEMROOT%Tasks
• Files persist until shutdown or reboot of system

75. Task Scheduler Logs
• %SYSTEMROOT%TasksSchedLgU.tx
t
• Records start time and completion of task
s
• Also Event Logs, includin
g
• Microsoft-Windows-
TaskScheduler%4Operational.evt
x
• Security log

76. Analyzing .job Files
• A binary
fi
l
e
• Strings will show user information and
fi
le path

77. Job File Parser
• Link Ch
12n

78. Scheduled Tasks Log

79. Windows
Task
Scheduler
Operational
Log in Event
Viewer

80. Scheduled Tasks in
Velociraptor

81. Ch 12a-3