Saturday, July 04, 2009

The Case of the Missing MFT Entry

A bit ago, I received an email from someone mentioning the following facts with respect to an examination they were doing:

- Malware was suspected as having been running at one point on a Windows XP SP2 system
- A Prefetch file was found the related directly to the malware
- AV logs indicated that the malware had been deleted
- An XP Restore Point included an INI specific to the malware
- Between the time that the malware had been deleted and the system imaged, 8 Restore Points were created

Given these facts, the question was...why does there appear to be no MFT entry for the malware file?

I responded with my answer...I want to know what YOU think.

11 comments:

Anonymous said...

Perhaps, with the efficiency and rapid reuse of records in the $MFT, that record was overwritten with a new entry.

neofito said...

A disk defragmentation process?

Anonymous said...

Maybe a FAT filesystem? (just kidding :-)

What about if there's an entry left at a NTFS index record?

Anonymous said...

Seems likely that the MFT record was reused for a subsequent entry, overwriting the original content.

Anonymous said...

After removal of malware by AV, $MFT record was marked as "free". Eight restore points is quite a long time, so probably $MFT entry was reused.

JimmyWeg said...

The question is limited to the reason for the missing file record. By that, let's assume that you're asking about the record for only one file: malware.exe. If the exe was on the system, there would have been an MFT record, which would have been made free by the deletion of the exe. Hence, the other comments about the record being reused are valid possibilities.

Could the exe have been run from from other media or outside of the system? There would be no MFT record. However, I don't recall the rule on Prefetch files viz a viz externally run programs. If the exe was run ex-the system, perhaps it spawned other applications with config files, hence the ini file. I'm also assuming that the Prefetch file identified malware.exe.

The creation of eight restore points may not have affected the MFT record any more than the average use of the system. They could have been created, for example, over a few days. I don't think that we have enough info to go much further, and you may not have had much more, yourself.

Looking for artifacts of malware.exe. is another exercise. All kinds of searches could be employed, including a review of $LogFile for a deletion record, extracting MFT fragments, index records, etc. I'd also run malware.exe. in a VM with stuff like Process Explorer running, and maybe test it with the AV tool in use.

Snail said...

I am expecting to be shot down in flames for this response but I reckon a possibility is that the MFT record doesn't exist because the malware.exe was never present on the system.
My theory would require further details and examination but my hypothesis is this.
Malware is often installed by a compressed executable.
As the installer executes it starts to write files into prefetch and other areas but further execution is halted when the anti-virus finds and deletes the offending payload.
You thus have the situation where the malware is only partially installed and hence no entry in the MFT for the executable as it was never installed.
In effect the malware was never operational on the system.

Wanderer said...

Hi Harlan,

My understanding of the MFT is it contains (either internally or internally and externally) all files on an NTFS system. If the malware program were “on” the system and run from there, it would have an MFT entry. If it were run from an external drive, it would simply be running on the machine, and as I understand it, not have a MFT entry. The Prefetch would capture any program run on the system, even if it were on a removable drive when executed. AV logs would naturally indicate the malware was detected and deleted. Further, if at the same time, for whatever reason, an XP restore point was being created, it could (I think) easily contain the INI related to the malware.

Either that, or there was an MFT entry created for the malware, but due to the time between its installation and the system being imaged (8 restore points being created – at least 8 days if normal XP 24 hour restore points). The restore points are kept for (I think) 90 days and then deleted (the system created ones), but user-created ones last longer, perhaps indefinitely. But the MFT contents are dynamic – if a file is deleted, the MFT entry is marked for deletion. I remember hearing once that the MFT contents are short-lived if files are deleted, probably because everything is a file and there’s only so much space available in the MFT.

Thanks.

Fred

Wanderer said...

Hi Harlan,

Please share your comments on this subject with us. Thanks,

Fred

Anonymous said...

I think Harlan has forgotten this thread :-(

Keydet89 said...

Anonymous...not at all.

I think that it could be one or more of the above listed issues. First, the person who told me about this never extracted the executable image file path from the Prefetch file, so the file could have been on another medium or drive.

On the surface, though, it seems pretty clear that perhaps the simplest explanation is that the MFT entry was reused.

HTH, and thanks to everyone who responded...