Inside the Mind of a Cybercriminal: MFT Records and Metadata Insights
Written on
Chapter 1: Understanding MFT Records
In this chapter, we delve into Master File Table (MFT) records, focusing on how to locate timestamps within file metadata. These techniques are crucial for uncovering previously deleted MFT fragments that may reside in unallocated disk space or residual data in Pagefile.sys.
Hands-On Project 1–2: Investigation and Development Procedures
For this project, we will conduct internal digital investigations alongside forensic examinations. The goal is to analyze MFT records and recover deleted fragments. Procedures such as identification, analysis, investigation, development, and testing will be documented using the WinHex tool.
System Requirements:
- A Windows system with the C drive formatted as NTFS.
- Notepad for creating a small text file.
- WinHex to analyze metadata in the MFT.
WinHex Tool Overview
WinHex is a versatile hexadecimal editor, essential for computer forensics, data recovery, low-level data processing, and IT security. This advanced tool serves both everyday tasks and emergency situations, enabling users to inspect and edit various file types, recover deleted files, or retrieve lost data from corrupted hard drives or digital cameras.
Capabilities of WinHex
- Disk Cloning and Imaging: Create exact disk duplicates, saving time on installations across multiple machines.
- RAM Editing: Useful for debugging and manipulating running programs, especially in gaming.
- File Analysis: Assess data types recovered by tools like ScanDisk or chkdsk.
- Secure File Deletion: Ensure that sensitive files are unrecoverable by using the delete irreversibly option.
- Wiping Unused Disk Space: Securely erase remnants of deleted classified files to prevent unauthorized access.
- Data Recovery: Recover deleted files manually or automatically, supporting various file systems.
Project Steps: Working with WinHex
- Open the WinHex tool on your computer.
- Create a text file using Notepad, adding any content you desire.
- Save this file as C5Prj02.txt on the C drive to ensure it's entered into the $MFT.
- Familiarize yourself with MFT and file attributes, especially attributes 0x10 and 0x30 for timestamps.
- Examine the metadata for the C5Prj02.txt file stored in the $MFT.
Detailed Examination of Timestamps
Follow these steps to analyze the timestamps in the MFT:
- Creation Time (C Time): Find the offset value at 0x50.
- Altered Time (A Time): Locate the offset at 0x58.
- Last Access Time (R Time): Identify the offset at 0xC8.
- MFT Change Time (M Time): Check the offset at 0xD0.
Project Summary with FILETIME Information
The results of this project are compiled in Table 2, summarizing the FILETIME data.
Conclusion
Throughout this project, we successfully created a snapshot of the MFT records and examined the newly created text file. By setting WinHex to "Read-only mode," we protected the integrity of the data. The objective was to understand the variances in file timestamps, and we effectively analyzed and documented these values. The findings confirm that all FILETIME values correspond to the file's creation time, indicating no alterations were made.
Chapter 2: Hands-On Project 2–2: Exploring File Headers
In this project, we will further our understanding of file types by using WinHex to investigate different file headers.
Investigation and Development Procedures:
- Launch the WinHex tool on your PC.
- Create Microsoft Excel (.xlsx), Word (.docx), and JPEG (.jpg) files.
- Open each file type in WinHex and document their hexadecimal codes in a text editor.
Conclusion
This project allowed us to explore various file formats using WinHex in Read-only mode, where we recorded and summarized the different file types and their respective offset values.
REFERENCES
(Maybe Popular and Trending 😉): Don't forget to check these Articles ⬇️
- How to disable your Google search data activity?
- Creating a Vulnerability Management Team: Roles & Responsibilities.
- Disabling the Microsoft Compatibility Telemetry service to reduce CPU usage.
- Top-14 OWASP Secure Coding Practices for Developers.
- The Department of Homeland Security's handling of PII data.
- Australia’s CovidSafe App: Privacy, Security, and Compliance Issues.
- Understanding HMAC in Cryptography and its implementation on Cryptool2.1.
- Risk Management Overview & Its Integration into SDLC.
Quote of the Day: 石橋を叩いて渡る (Ishibashi o tataite wataru).
Explanation: Just as a sturdy stone bridge can still collapse if its structure weakens, we must take precautions, even when things appear safe.
Thank you for reading! Have a great day! 👋 If you found this helpful, please click the clap 👏 button to support the author. Join the FAUN Developer Community for more insightful stories in your inbox each week!