tag:blogger.com,1999:blog-9518042.post501997217421314986..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: File system ops, effects on MFT recordsUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-9518042.post-1156753757643031962014-08-24T15:53:52.842-05:002014-08-24T15:53:52.842-05:00Oh, don't remind me about that! Once I showed ...Oh, don't remind me about that! Once I showed undergrad how to interpret each packet in Wireshark based on the Hex values; most were shocked and afraid with all those two nibble stuff and endian madness! I agree with you on this.<br /><br />Honestly, I've never taught DF to undergraduates, only grads, and they too feel its too much, especially with all those attribs and FS artifacts out there; even though some have a decent background. Anyway, I'll try to present these tests to them just the way you did, and then see if they could do it on their own.<br /><br />Thanks for these posts, they're priceless IMHO.B!n@ryhttps://twitter.com/binaryz0nenoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-84935107929985081522014-08-24T07:08:44.176-05:002014-08-24T07:08:44.176-05:00I completely agree...but what would have to happen...I completely agree...but what would have to happen is that the students would need to be provided with a tool that displays this information.<br /><br />I know that some practitioners firmly believe that everyone should start with a hex editor...but honestly, when you're talking about entry or under grad level courses, what you do NOT want to do is set the academic bars so high that's akin to hazing. Show them what's there, what it means, how to interpret it...then make the "put away your dongle and get out your hex editor..." the graduate level course.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58712111395752893842014-08-22T19:52:28.036-05:002014-08-22T19:52:28.036-05:00Never had the time to read this post until now, bu...Never had the time to read this post until now, but as said "better late than never"!<br /><br />Such a post could easily be given as a practical lab for students studying FS Forensics, and let them touch the true diff about what happens with each action. Other tests could be added for sure, and checked too.<br /><br />Thanks Harlan.B!n@ryhttps://twitter.com/binaryz0nenoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66934935896358906022014-07-23T13:09:41.260-05:002014-07-23T13:09:41.260-05:00@Anonymous...
There are some operations (e.g. som...@Anonymous...<br /><br /><i>There are some operations (e.g. some related to file encryption) that create and delete a temporary file in the directory of the compressed file. </i><br /><br />Can you elaborate on that, particularly with regard to how the use of file encryption would be accompanied by a compressed file? <br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65467431212320879232014-07-23T13:01:11.430-05:002014-07-23T13:01:11.430-05:00In general: Keep an eye out for additional MFT ch...In general: Keep an eye out for additional MFT changes. There are some operations (e.g. some related to file encryption) that create and delete a temporary file in the directory of the compressed file. <br /><br />There may also be some value in tracing the actual system calls performed by the DOS commands: does 'rename' translate straight to a Win32API 'WoveFile' or are there any additional calls being done? This would help relate the results to applications in general. <br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18438441042349275872014-07-23T08:47:16.088-05:002014-07-23T08:47:16.088-05:00@Bugbear - thanks.
@Corey - you're exactly ri...@Bugbear - thanks.<br /><br />@Corey - you're exactly right, and I completely agree. I wanted to do this from a 'raw' perspective, not using any commercial tools, so that I could get right to the details of what was happening. Speaking of details, I also wanted to get more of a look at the MFT record details, identifying changes other than just the time stamps.<br /><br /><i>...there needs to be more of these types of articles...</i><br /><br />I'm 100% in agreement with you!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65244824633304986852014-07-23T07:36:34.633-05:002014-07-23T07:36:34.633-05:00Excellent write-up; especially the way you laid ou...Excellent write-up; especially the way you laid out your tests, explained what you did, and documented the results. I think there needs to be more of these types of articles. Where various activities are explored to see what traces they leave in different artifacts since it can help explain the data you see on a case.Corey Harrellhttp://journeyintoir.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-2280188677473629702014-07-23T04:56:26.543-05:002014-07-23T04:56:26.543-05:00Hey Harlan
Per "Security_change" reason...Hey Harlan<br /><br />Per "Security_change" reason code in the USN change journal during the file move op. I suspect that the file inherited the NTFS perms from the new location?<br /><br />Just an educated guess.<br /><br />Interesting tid bit on the file system tunneling in the MFT.<br /><br />Thanks for the great post.<br /><br />~BugbearUnknownhttps://www.blogger.com/profile/10565968178084674394noreply@blogger.com