challenge link: download
sha256 checksum: 75e403f41988cce532912fc09f6f2636ee215647ceaac7f05c84c1d77d2b5a95
filename: Easy - Time Machine.rar
objective: Identify time stomping
The “Time Machine” challenge showcases the Master File Table(MFT). The MFT is a file system artifact. The NT File System ( NTFS ) is the file system used by Windows. It is simply a system by which the Windows Operating System can save and retrieve files. File system artifacts vary depending on individual file system which is used. For example while Windows primarily uses NTFS MacOS uses Apple File System (APFS) while many Linux systems use a version of the EXT file system.
File system artifacts can be very useful when investigating attacker activity. Not only do file system artifacts tell you important metadata about a particular file such as timestamps (create, access, modify), but MFT records also record the first 512 bytes of a file. This can be particularly useful in recovering file contents (think staged data, or malware configurations/scripts) when the file was deleted but the MFT record is still present.
In the case of this challenge we have to identify time-stomping activity on the “user” user’s desktop. Eric Zimmerman’s MFTExplorer does the job nicely.
For a good explanation on how to identify time stomping within the MFT check out this az4n6 post .
Challenge IOC Data
name = "MFT" description = "IR Challenge 1 timestmomped file" parser = "MFTExplorer, MFTECmd" reference = "https://f001.backblazeb2.com/file/EricZimmermanTools/MFTExplorer.zip" AND MFT.Record.Path = "C:\Users\DFIR\Desktop" MFT.Record.Name = "Mod-File.txt" MFT.Record.SIModifiedOn = "2019-01-01 01:01:01:0000000"