During an analysis, i realised that the timestamps in $STANDARD_INFORMATION are not consistent with $FILE_NAME.
Qn 1 Should i based my analysis based on $FILE_NAME or $STANDARD_INFORMATION?
Qn 2 is there any tools (for windows) to parse $FILENAME or compare both set of timestamps?
During an analysis, i realised that the timestamps in $STANDARD_INFORMATION are not consistent with $FILE_NAME.
This is not all that unusual. The STANDARD_INFORMATION attributes are the attributes used by the Windows API. These attributes are those most frequently changed as a result of file activity.
The FILE_NAME attributes most often correspond to the file creation time and are rarely updated (moving a file from one location to another will result in the FILE_NAME attributes be updated to reflect the STANDARD_INFORMATION file create date).
Qn 1 Should i based my analysis based on $FILE_NAME or $STANDARD_INFORMATION?
It depends on what you want to establish. There are utiltiles which will change the SI information, easily, so it is possible that these are unreliable. But the FN attributes are not updated, as often, so they may be of little use except to question the accuracy of the SI attributes.
Many investigators treat the MACE times as circumstantial unless verified via other means. On the other hand, unless you have some reason to suspect that these times were altered, it is not unreasonable to accept them at face value.
Qn 2 is there any tools (for windows) to parse $FILENAME or compare both set of timestamps?
Sure. Many. Timestomp would be one that comes to mind, immediately, or NFI from the Windows OEM Support Tools package.
During an analysis, i realised that the timestamps in $STANDARD_INFORMATION are not consistent with $FILE_NAME.
Sure, okay.
Qn 1 Should i based my analysis based on $FILE_NAME or $STANDARD_INFORMATION?
Depends. I often find it useful to support my findings based not just on the data within the $FILE_NAME attribute, but also upon an understanding of what that information represents.
More than anything else, I think that you should invest some time into reading Brian Carrier's book, "File System Forensic Analysis"…particularly the chapters dealing with the MFT.
Qn 2 is there any tools (for windows) to parse $FILENAME or compare both set of timestamps?
Dave Kovar's
I wrote my own Perl code to do parse this information, and experience has shown me that you (or rather, I) don't just want something that compares the values, as often a simple comparison isn't what I need.
Thank you for enlighten me on the issues. definitely will find some time to go through Brian's book in depth.
yup, i need something more than just comparing the 2 sets of timestamps.
lol lol lol
No problem. Take a look at the book and read the pertinent chapters…some vitally important information there.
> i need something more than just comparing the 2 sets of timestamps.
Exactly…which is why I like my Perl code so much…mostly I just cut-n-paste the output (for the pertinent files) into my case notes and/or final report, particularly when there appears to have been timestomping involved. The thing is, it's easily reproducible, as well…
Rob Lee at SANS with help of keydet89's tools as well
http//
Good information as well as an example of some of the tools used.
The SANS SIFT Workstation is a free download that encompasses and supports may of the tools mentioned.
Doug,
Rob Lee at SANS with help of keydet89's tools as well
The tool mentioned in that post is regtime.pl, which operates on Registry hives, not the MFT.
Log2timeline relies primarily on fls from the TSK tools to get file system metadata, and that's from the $STANDARD_INFORMATION attribute. I don't see a specific tool mentioned in the post to extract timestamps from the $FILE_NAME attributes…did I miss it? If so, which one is it?
Thanks.
Harlan - was looking at it from
"i need something more than just comparing the 2 sets of timestamps"
and
"Depends. I often find it useful to support my findings based not just on the data within the $FILE_NAME attribute, but also upon an understanding of what that information represents."
And creating an overall time line. Just trying to steering the OP thought to a wider angle view of the MFT as there is more likely other data points to correlate into the equation.
The $FILE_NAME attribute has to be taken into context of what it does and why what the OP might be looking for is could possibly weigh heavier from the $STANDARD_INFORMATION attribute.
I guess what I should have asked originally to davidkoepi is what are you trying to do and/or demonstrate with the parsed information.
MyKey's MFT Ripper is great a Win tool for MFT file parsing. Loaded into Excel with the top row locked and sorting filtering is another way to look at the MFT records very easily.
I guess what I should have asked originally to davidkoepi is what are you trying to do and/or demonstrate with the parsed information.
while compiling the report, i discovered the timestamp were much earlier (like year 1999). So i looked deeper and found more files with the same timestamp and so, I need to filter out these files, just in case I missed out any files.
Thanks, will definitely look further with suggestions. D
And creating an overall time line. Just trying to steering the OP thought to a wider angle view of the MFT as there is more likely other data points to correlate into the equation.
Okay, gotcha…although I still don't get the reference to my tools.
MyKey's MFT Ripper is great a Win tool for MFT file parsing. Loaded into Excel with the top row locked and sorting filtering is another way to look at the MFT records very easily.
yeah, once you reorder the columns properly…