timestomping ntfs
play

Timestomping NTFS (with emphasis on directory index records) Wicher - PowerPoint PPT Presentation

Dec 26, 2023 •121 likes •409 views

Timestomping NTFS (with emphasis on directory index records) Wicher Minnaard supervisor: Marco van Loosen (Fox-IT) UVA/SNE MSc research project presentation July 2nd, 2014 Research question (1) What forms of NTFS timestamp tampering can be

  1. Timestomping NTFS (with emphasis on directory index records) Wicher Minnaard supervisor: Marco van Loosen (Fox-IT) UVA/SNE MSc research project presentation July 2nd, 2014

  2. Research question (1) What forms of NTFS timestamp tampering can be detected by inspecting NTFS structures?

  3. Timestamps on NTFS (1) MACB timestamps: ◮ M odified 1 ◮ A ccessed 2 ◮ C hanged 3 ◮ B irth 4 1 mOdified - cOntents 2 updates turned of by default in recent Windows versions 3 chAnged - metAdata 4 but what does that mean, anyway

  4. Timestamps on NTFS (2) In the Master File Table entries: ◮ SI - STANDARD INFORMATION attribute. User-modifiable through SetFileInformationByHandle and ZwSetInformationFile routines. ◮ FN - FILE NAME attribute. Files can have multiple of these, in different namespaces. They are not exposed to userspace. ◮ Inside directory indices: timestamps reflecting SI timestamps, but embedded inside an FN attribute... Maximum number of timestamps: 4 (MACB) * (1 SI, 3 FN, 3 directory index entries) = 28!

  5. Tampering techniques How does one tamper with timestamps (”timestomping”) ? ◮ Through APIs, as classic timestomp.exe 5 does. Not perfect. ◮ Direct modification of on-disk NTFS structures. Current cream of the crop: later versions of SetMace 6 . 5 James Foster Vinnie Lin, Blackhat 2005 6 Joakim Schicht, 2011-2014

  6. Research question revisited What forms of NTFS timestomping can be detected by inspecting NTFS structures?

  7. Research question revisited What forms of NTFS timestomping can be detected by inspecting NTFS structures? Subquestions: ◮ What is the form, function, and location of all these timestamps? How do they relate to each other? ◮ What timestomping techniques are available to modify each timestamp? ◮ What inconsistencies (if any) do the techniques introduce?

  8. Timestomping detection

  9. Timestomping detection subtlety is key!

  10. Timestomping detection subtlety is key! Common slip-up: Forgetting about the 100ns timestamp resolution: 2014-01-01 12:12:34.000000

  11. Timestomping detection subtlety is key! Generally: look for inconsistencies

  12. Timestomping: Inconsistencies ◮ Causal relationships ( happened-before ): allocators, sequence numbers. Willassen, 2008. ◮ Deriving past operations from the NTFS journal. Cho, 2012. ◮ Explicit second source of timestamps: directory index entries in B-tree slack (INDEX ALLOCATION): INDXParse.py , Ballenthin, 2011-2014.

  13. Parsing the INDEX ROOT attribute With the Hachoir framework: .

  14. Growing a directory index

  15. Growing a directory index

  16. Growing a directory index

  17. Growing a directory index

  18. Growing a directory index

  19. Growing a directory index

  20. Growing a directory index

  21. Carving root index entries from MFT slack

  22. SetMACE directory indices

  23. Fingerprinting timestamp relations (1) What about self-inconsistencies in time stamps?

  24. Fingerprinting timestamp relations (1) What about self-inconsistencies in time stamps? As the FILE NAME timestamps are a snapshot of some earlier state of the STANDARD INFORMATION timestamps... the former should always be less or equal to the latter, right?

  25. Fingerprinting timestamp relations (1) What about self-inconsistencies in time stamps? As the FILE NAME timestamps are a snapshot of some earlier state of the STANDARD INFORMATION timestamps... the former should always be less or equal to the latter, right?

  26. Fingerprinting timestamp relations (2) An example fingerprint: . sia = sib < sim < fna = fnb = fnc = fnm < sic . Total number of possible configurations 7 : 7 Sum of binomial coefficients

  27. Wildtype timestamps A skewed, but long-tailed distribution. Example: Cumulative distribution of timestamp fingerprints of EXE files on 1.5 years old Windows 7 system. . BLA: Combine with NSRL whitelists, use as ranking mechanism

  28. Conclusions What forms of NTFS timestamp tampering can be detected by inspecting NTFS structures? → It depends. When it comes to finding inconsistencies; ◮ Index records may be overlooked by direct-access timestomping tools. However, Windows helpfully repairs resulting inconsistencies. 8 ◮ Old index records may be found in slack space. ◮ Wildtype timestamp configurations do not follow intuitions. Anomaly detection based on wildtype timestamp configuration frequencies may be of some use in the ranking phase. 8 Next step: Extended consistency checker, for instance, cross-check each of the FN attributes in the multiple namespaces and the directory indices

Recommend

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma Surendra Verma Development Manager Development Manager Windows File Systems Windows File Systems Microsoft Microsoft Transactional NTFS (TxF)

494 views • 21 slides
Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume

Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume

Unit OS10: Fault Tolerance Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 10.1 The Notion of Fault-Tolerance Fault-Tolerance Support in NTFS Volume Management - Striped

394 views • 25 slides
Low-level writing to NTFS file systems Rick van Gorp 1 1System and Network Engineering Faculty of

Low-level writing to NTFS file systems Rick van Gorp 1 1System and Network Engineering Faculty of

Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion &amp; Conclusion Future work Low-level writing to NTFS file systems Rick van Gorp 1 1System and Network Engineering Faculty of Science

458 views • 22 slides
Operating Systems II Unit OS8: File System 8.3. NTFS Recovery Support Prof. Dr. Andreas Polze,

Operating Systems II Unit OS8: File System 8.3. NTFS Recovery Support Prof. Dr. Andreas Polze,

Operating Systems II Unit OS8: File System 8.3. NTFS Recovery Support Prof. Dr. Andreas Polze, Andreas Grapentin, Bernhard Rabe Roadmap for Sec.on 8.4 The Evolu.on of File Systems Recoverable

540 views • 26 slides
Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Unit OS8: File System 8.2. Windows File Systems Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

496 views • 34 slides
Living with BTRFS KWLug - April 2015 Chris Irwin With what? Butter F S Better F

Living with BTRFS KWLug - April 2015 Chris Irwin With what? Butter F S Better F

Living with BTRFS KWLug - April 2015 Chris Irwin With what? Butter F S Better F S B-tree F S Bee Tee Arr Eff Ess Why should I consider a new filesystem? ext3/ext4/ntfs/etc work fine for me! My trip to

774 views • 41 slides
CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. Investigative Process Analysis Framework 2. File Systems FAT NTFS Required Reading G.H. Fellow,

705 views • 51 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
INTRODUCE IN-KERNEL SMB3 SERVER CALLED CIFSD Namjae Jeon Samsung Electronics June 5, 2019

INTRODUCE IN-KERNEL SMB3 SERVER CALLED CIFSD Namjae Jeon Samsung Electronics June 5, 2019

INTRODUCE IN-KERNEL SMB3 SERVER CALLED CIFSD Namjae Jeon Samsung Electronics June 5, 2019 About me Linux kernel contributor since 2011 Co-Creator of Samsung internal NTFS Filesystem Introduce collapse and insert range syscall

406 views • 26 slides
File System Implementation Nima Honarmand Spring 2017 :: CSE 506 File Systems FS,

File System Implementation Nima Honarmand Spring 2017 :: CSE 506 File Systems FS,

Spring 2017 :: CSE 506 File System Implementation Nima Honarmand Spring 2017 :: CSE 506 File Systems FS, FFS, FAT, ext2/3/4, NTFS, View disk as an array of blocks Each block contains one or more disk sectors Sectors

595 views • 21 slides

More recommend