[sleuthkit-users] NTFS $FILE_NAME timeline?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi there.

I have a question (and possibly a feature request for fls)

I've been analyzing a couple of NTFS file systems where the MFT
MAC-times haven't been enough to get a good timeline, whereas looking at
the $FILE_NAME MAC-times have. Unfortunately I cannot find a way of
generating a timeline for $FILE_NAME attributes so I had to write a
rather slow script using istat on every MFT entry. Is there another way
or possibly a chance of getting added functionality to sleuthkit.

Below is the istat output from istat on a malware component that is hard
to track through the usual fls timeline.

istat -f ntfs -o 63 -i raw PhysDrive.img 112501
MFT Entry Header Values:
Entry: 112501        Sequence: 16
$LogFile Sequence Number: 24867996464
Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0     Security ID: 260

Original times:
Created:        Sat Feb 11 22:16:02 2006
File Modified:  Thu Jan 19 13:16:50 2006
MFT Modified:   Tue Feb 14 22:31:39 2006
Accessed:       Tue Feb 14 22:31:39 2006

$FILE_NAME Attribute Values:
Flags: Archive
Name: malware.exe
Parent MFT Entry: 9291  Sequence: 9291
Allocated Size: 0       Actual Size: 0

Original times:
Created:        Sat Feb 11 22:16:02 2006
File Modified:  Sat Feb 11 22:16:02 2006
MFT Modified:   Sat Feb 11 22:16:02 2006
Accessed:       Sat Feb 11 22:16:02 2006

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 90
Type: $DATA (128-3)   Name: $Data   Non-Resident   size: 596295
8839705 8839706 8839707 8839708 8839709 8839710 8839711 8839712
<DELETED BLOCK LIST>

Of all the times available for this particular entry only
$STANDARD_INFORMATION - File Modified, MFT Modified and Accessed are
reported in a fls timeline

By comparing my network logs with the times for
$STANDARD_INFORMATION - Created
and
$FILE_NAME - Created, File Modified, MFT Modified and Accessed

I can deduct that the file was put on the system on
Sat Feb 11 22:16:02 2006

But the MFT was for some reason modified on
Tue Feb 14 22:31:39 2006

Either the malware itstelf modifies MFTs to thwart timeline analysis or
some system tool is doing it but the usual analysis of C-time is more or
less worthless for this system and I have to resort to my "hack" of
generating a timeline with the help of istat.

/Patrick