Timestomp and Autopsy

Hi guys. So, in this video, I'm going to do a little bit of an overview

of timestomp, practical and immersive labs and talk generally about how
timestomp on autopsy work. So, each operating system has its own
implementation of the time stamping technique that we commonly see in
Windows. And this gives you precise metadata about the file actions, such
as when the file was created, or modified or accessed, amongst other
things.

Now this information can be useful if you're looking to determine if

files have been accessed or modified as part of an attack or breach. For
example, if one of your system controls such as your intrusion detection
system detects that there's been a legitimate system access at say 12:14
yesterday, and you have file creation access or modified dates at the
same time or around that time on that day, then it's likely that those
files may be part of an attack and will warrant further investigation of
those particular files. Now systems have something called a master file
table, which contains two sets of four timestamp values. Each of these
sets can store creation time, modification time, MFT, time and last
access time.

Now, the first one of these sets is known as the standard information
file attributes. Now you'll see this in the lab as dollar signs standard
underscore information. And the others are file information attributes,
which in the lab you'll see as dollar sign file underscore name. Now this
dollar sign file underscore name or standard underscore information is
the file names that Windows use for these attributes. The dollar sign
just shows that that's a hidden file. So, the difference between these
two is that the standard information file attributes, they're user
modifiable, whereas file information attributes are not. However, there
are techniques that can be employed to set file information attributes
manually. One of these is to simply copy a file from one destination to
another folder, which will then take on the same values as the standard
information attributes.

Therefore, a bad actor can manually set standard information attributes,

copy the file to a new folder, and then manually change the standard
information attributes. Some of these will be changed as the file is
moved. So as a result of this process, the timestamps of a file can be
arbitrarily set by the attacker and conserved to make an investigators
job more difficult as it can disassociate files from a particular attack.
And this is what's known as timestamping. Let's start in the lab here.
Now, I'm not as this lab Bob's part of assessments. For many students,
I'm not going to go individually through how you complete the lab, we're
just going to take a look at it in very general terms. So, while this is
loading, one of the tools that we're going to use as part of this lab is
autopsy. Now autopsy is a very, very common digital forensics tool, it
forms part of something called the sleuth kit. And this is a collection
of digital forensics utilities for Unix and Windows.

Now, this is completely open sourced as a project so you're welcome to

download and play with this as much as you like. Now autopsy can analyse
most major file systems, such as NTFS, fat, and so on, and it hatches all
the files, unpacking the archives and extracting any excess values, and
also putting keywords into an index. Some file types like standard email
formats or contact files are also passed through and catalogued. So,
users of autopsy can search these index files for recent activity or
create a report in HTML or PDF that summarises important activity. When
you're working with this and time is short, you can activate triage
features that use rules to analyse the most important files first,
autopsy can save a partial image of the files in vhd format. So, as you
can see in the lab, you can go to the Info tab and it does give you some
general high-level information about what time stamping is and also how
investigations and detection is taking place. And one of the things we're
going to do as part of this lab is look at the web one of the ways in
which we can detect file stomping.

So, in this lab, you are tasked with analysing the stock drive that's low
stock folder that's located on the desktop and this is located in C, for
SAS users for slash administrator forward slash desktop files are stopped
when you get into autopsy. Now the first thing that we can do is to just
generally look at the file properties that collect that are in this dump
file. So, if we go open the stock file, so any of these files that are in
here, we can right click on them. And we can go to properties. And we can
see some of the created modified and access dates here. But this doesn't
give us kind of the granular detail that we're looking at as part of
this, this lab. So, let's start autopsy.

Now in the tasks that you have in this lab, it says that the case has
already been created. And this is that's the case that we're going to use
as part of autopsy. But in order to help familiarise yourself with
autopsy, we're going to, I'll start by showing you how you would create a
new case for something like this. Give it a moment to load. Okay, so like
I said, let's just start by creating a new case. So, you can see how this
is done. So, the first thing you do is set up a case name. So, we'll just
do this as demo and select Next. And then you'd set a case number. And
I'll put myself as the examiner, and you click Finish. Now all the
information that we just set up their sort of examiner name and case
number that will be incredibly important in a forensic investigation in
order to prove your chain of custody.

Now, this is creating all of the back-end information required for a

case. But the next thing we need to do is to import the data that we're
going to be analysing. So, this is the screen to be used to add our data
source. Now this could be files or digital images that you've acquired
through the acquisition process. autopsy supports four types of data
source. The first one is a disk image or VMX file. Now this can be a file
or a set of files, that's the byte for byte copy of a hard drive or other
form media or a virtual machine image. You then have your local disk now
this is your local storage devices. So, this, it could be things like USB
drives, your local drive anything like that, you then have logical files,
and these are your local files and folders. And then you have an alert on
an unallocated space file image file.

So, this is any type of file that doesn't contain a file system, but you
want to run it through the ingest. In this instance, we want to select
logical files as we can see that these are local files that we are
looking to import. So, let's change that over and then click Next. So
here, we want to add the logical files by pressing this add button. So,
if we go to desktop, and then we want stomp, to select, and then next.
And we can just click through the screens. So now it's just analysing
those files.
Now although the analogue is in hasn't finished, we'll take a little look
at some of the things in here. So already, we can see that it's got a
JPEG there that it's pulled in. And if you click on the logical files,
you can see that it's got stopped, stopped there. And you can flick
through some of the information in this section.

So now that we've taken a look through this at how to set up a case,
we'll just close this case now. And we'll go to the case file that's
specified in this particular practical. So here, we're just going to open
an existing case, go to cases. And then new auto which is what the lab
has told us is our case file.

Okay, so we can see this case what they've analysed it to call C drive.
So, you've got the full C drive for this investigation as opposed to just
the file system that we imported. So, this includes things like email
addresses, includes web bookmarks, recent documents that have been used
by the user, and so on and so forth. There's plenty of information there.
But what we want to do first is look at our data sources. So, if we
double click on the C drive, you can see then that we're into new cars
have expanded on the left here. And you can see here you've got the file
system, all set out unstructured. So, what we want to do is go to users
and expand that menu. And we weren't administrator. And we want desktop
because we know that's where the files are that we're looking for.

So here we see the folder that we were looking for which stamp, and you
can see all of the contents of the stamp file. So, when we click on
these, you can get lots of information and this will be shown in the tabs
in the bottom section here. So, you can see the hex, you can see any
strings that are contained in the file. And you can also see the file
metadata. Now if you scroll down on the file metadata, it does some
analysis from some sleuth kit tools. And this includes standard
information attributes, file name attributes, as well as scroll up here,
the MFT and she had a value. So, there's plenty of information that
should help you here fill out your lab. So, I hope this has been helpful.
If you have any questions at all, feel free to get in touch