as part of an assignment for a 2nd year university assesment i briefly looked at the application "Timestomp", which allows the user to manipulate MACE times on NTFS filesytems. i tested the program, changing the first three MACE times of a few kinds of files, which are easily looked at in the properties of files, but i had no way of looking at the entry in the MFT (master file table) to check to see if they all worked, how would i go about this?
alan
I'm actually going to try to do you a favor and not answer your question. Odds are, you've already been given some hint in prior lecture and reading. But see, part of learning – especially important in forensics – is the ability to dig it out yourself. There's a lot of resources on the Internet that will help you answer this question. Articles, how-to's, and whitepapers are all your friend. Please understand that in a few years, we may be colleagues together. I'd like you to be a colleague I'd be proud to work with.
hehe ok. thankyou. your most definately right! id also like to be someone who i would hope others would like to work with! forensics is a small, but growing, tight knit community and id hope to bump into you (and others on here) some day.
alan
Alan, after you've done some digging, if you still have questions please do come back with them. We really do want to help, even if I'm a grumpy old guy. )
haha im sure ur not! ill be lookin into it once exams are over, then i might have a few questions…until then, dynamic internet technologies for alan!
dynamic internet technologies for alan!
Don't forget Brian Carriers book on File System Forensic Anlaysis, apologies if you are already aware but this is a must have reference book.
If you really want to learn this, grab a good hex editor and learn to manually traverse a $MFT record. 2nd on Carrier's book.
Winhex is a very good place to start and its free.
Winhex is a very good place to start and its free.
Free to try. EUR 39.41 to buy, which is very reasonable. I keep a current license of X-Ways Forensics (based on WinHex) when I really need to dig in (it's the program I started with and I still like it).
There are many freeware hex editor available, just Google
as part of an assignment for a 2nd year university assesment i briefly looked at the application "Timestomp", which allows the user to manipulate MACE times on NTFS filesytems. i tested the program, changing the first three MACE times of a few kinds of files, which are easily looked at in the properties of files, but i had no way of looking at the entry in the MFT (master file table) to check to see if they all worked, how would i go about this?
alan
You might be able to take a different angle.
Debug timestomp and go step by step through the modificaiton of the MFT then you can see for yourself how it changes and when in the process.
Then you could be sure that it isn't actualy modifying the MFT…or not…depending on what you see.
l8r
Skip