Timestomping

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

Below is an example auditd rule to detect file access:

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-w /path/to/directory -p war -k file_access

-w specifies the file or directory to monitor

-p specifies the permissions to monitor (write, attribute change, read)

-k specifies the key to help identify the rule

To review audit logs related to this rule, we can use ausearch (ausearch -k file_access) or read and retrieve lines from the raw audit logs with grep (sudo grep file_access /var/log/audit/audit.log).

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

Below is an example auditd rule to detect timestamp modification:

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-a always,exit -F arch=b64 -S utimensat -F key=timestamp-changed

-a Add a rule to the audit system

always,exit Apply this rule to both the entry and exit points of the system call. It means that audit records will be generated both when the system call starts and when it ends

-F arch=b64 Filter condition. Specifies that this rule applies to 64-bit architecture (this can be replaced with -F arch=b32)

-S utimensat Specifies the utimensat system call to be audited

-F key=timestamp-changed Adds a key to the rule for easier identification in the logs

To review audit logs related to this rule, we can use ausearch (ausearch -k timestamp-changed) or read and retrieve lines from the raw audit logs with grep (sudo grep timestamp-changed /var/log/audit/audit.log).

By extracting and comparing timestamps from MFT and Shimcache, it is possible to identify inconsistencies that could represent timestomping in relation to executable files.

The Application Compatibility Cache (referred to as Shimcache) records a value for the Last Modified Time when an executable file is last run. The Master File Table (MFT) contains information about every file and directory on an NTFS volume. Each file or directory is represented by an MFT entry, which stores metadata about the file, including modified, accessed, and created timestamps.

If the Shimcache timestamp indicates a file was run at a certain time but the MFT shows a different or much later modification timestamp, this would be considered unexpected.

MFT Entry Number Sequence Irregularities refer to inconsistencies where the sequential order of Master File Table (MFT) entries in an NTFS file system does not align with the chronological order of file timestamps. Such irregularities can indicate potential file manipulation or tampering, such as timestamping, where timestamps are altered to obscure the true timeline of file creation or modification.

If multiple files have suspiciously aligned creation or modification times or identical timestamps but different entry numbers, this might indicate that the timestamps were manually set to specific values rather than being naturally generated by the system.

NTFS timestamps have a precision of 100 nanoseconds. Identifying files with timestamps such as 2023-10-10 10:10:00.000:0000 is considered highly unlikely.

This may represent an anti-forensics technique where the subject has conducted timestomping to hide new files or obscure changes made to existing files.

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.