5 replies to this topic

[KingKrool]

This may not come under a usual exploit within a code, but I guess a possible ignorance of design . Much has been done by Metasploit team for their anti-forensics project , which includes a utility Timestomp to change NTFS MACE (Modified, Accessed, Created and MFT Entry modified ) values . NTFS comes with 8 time-stamp values 4 of which resides in $Standard_Information attribute (SI) and the other 4 in $FILE_NAME (FN) attribute of MFT entry. Timestomp using NTSetInformationFile() was able to completely modify all the 4 MACE values of SI attribute , but wasn't able to modify FN MACE values which Windows internally does when it creates or moves a file. FN MACE is the only point which is useful to track any intentional changes to timestamps . I don't think Microsoft has exposed the API call which is used to modify FN values to the user community.

An overview of Timestomp and Metasploit anti-forensics project is available at http://www.blackhat....-liu-update.pdf

However there still exists an indirect way by which FN MACE values can be modified, further frustrating any sort of forensics on NTFS timestamps. I have posted my findings on NTFS ForensicsWiki , here is an illustration of it.

My findings are concerned with Windows XP SP2 and here is an illustration of those findings.

1) Created c:\test.txt file



2) Changed timestamps using Timestomp

timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM"
timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"



Standard Information time values are changed.


3) Moved that file to some other folder c:\argument\test.txt , but in same partition



$STANDARD_INFORMATION values are copied to $FN MACE values


4) update accessed and modified of $STANDARD_INFORMATION

timestomp.exe c:\argument\test.txt -m "Saturday 10/08/2005 2:02:02 PM"
timestomp.exe c:\argument\test.txt -a "Saturday 10/08/2005 2:02:02 PM"



All 8 MACE values are changed . Moreover this is a move operation , no new MFT is allocated but the original MFT is overwritten with new MACE values. There is no way of detecting except getting information from LogFile in NTFS , if this sort of tampering is performed with files.

Is there any need to change the Creation time, present in FN attribute when a file is moved ?? I don't find a valid reason why this type of flow is allowed when moving a file. It may be design flaw or might be done intentionally. It just prohibits forensics..

What is your say??

[Edu]

I would dare to say this is done intentionally, regarding the security aspect of the file system. but I may be wrong though...

let me take the time to ask you something. Is there a way to preserve NTFS data streams in files over the HTTP or FTP protocol and then when programs download the file, the stream is there intact ?

I have been doing some tests and IE for example preserves some files streams but not when the file is retrieved from an http/ftp location. thks in advance.

[KingKrool]

Hey...sorry for getting late, was a bit busy in my work.

If I am not wrong , I guess you are asking about NTFS hidden streams which are actually attribute of an MFT entry of a file. Let me make somethings clear:

There are some attributes which are intended to change as the file is downloaded from remote location, some of them are

1) $STANDARD_INFORMATION - contains timestamps and security identifier ( Security Identifier should be used from the local system to which fie is copied)
2) $FILE_NAME - Contains file name and MACE values + reference to parent directory - intended to change or new created
3) $SECURITY_ DESCRIPTOR - again will be modified on the new downloaded file.
4) $SECURITY_ DESCRIPTOR - this have to change
5) $INDEX_ROOT - again have to change if the MFT entry pertains to a folder

I guess the $DATA attribute of a file needs to be preserved and is the only thing which can be important for user, I have seen that additional data streams
(ADS )are not saved by browser on FTP protocol. If there is an ADS stream that is not transferred by the protocol, instead for every additional data stream a "Zone Identifier" is added not the actual content of ADS stream.

However coming back to your question , yes they can be preserved as far as I think. The only way I can think of is mandate your FTP server to read all those streams and send them with a delimiter to the client. The client should interpret all the streams and recreate on the client.

The point here is , Windows itself does not allow a user to see all the hidden streams, an FTP server if using windows API for getting a file, will not be able to get all those streams. The protocol I guess has a very little role to play here (either HTTP or FTP). It all depends on the way the server gets/interprets an MFT entry and forwards whatever it sees to client.

Let me know if I addressed your question.

[Edu]

no prob for delay man...u just took a day lol

thank u very much for the detailed description mate...yeah you addressed it well, but as u said this could be done if I mandated the server to read all the streams and send them with a delimiter to the client they could be re-created...so here´s the question, how could I do this ?

I want to test some security related stuff regarding NTFS alternate data streams (I dont mean the $security_descriptor of the file, but issues involving streams) if u know of methods or programs that can be done/used to accomplish this let me know, either here or via PM, what u prefer.

for example I put an arbitrary stream on a file and name it let´s say abcd and put html code inside. Then I access the webpage with IE and it interprets the stream correctly and parse the html code as expected, thing is I wanted to find out a way to make it get downloaded along with the file somehow, over the ftp or http protocol.

thanks in advance.

[alessandrocolangeli]

Please, who can help me ?
Where can i download "timestomp.exe" ?

Thanks

[DrHEX]

Hello there. Not exactly what you asked for but an alternative with added features; http://reboot.pro/fi...ile/91-setmace/