InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • NTFS $STANDARD_INFORMATION & $FILENAME MACB timestamps
  • Registry last write timestamps
  • Convert UNIX time to human readable format
  • References
  1. DFIR
  2. Windows
  3. Artefacts overview

Timestamps

PreviousSRUMNextUser Access Logging (UAL)

Last updated 1 year ago

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: .

NTFS $STANDARD_INFORMATION & $FILENAME MACB timestamps

On NTFS filesystems, each file posses (at least) two attributes that hold (among other information) Modification, Access, Change and Birth (MACB) timestamps:

  • $STANDARD_INFORMATION

  • $FILENAME

The impact of a number of operations on each timestamps for the $STANDARD_INFORMATION and $FILENAME attributes are detailed in the . Globally, the following points should be noted:

  • $FILENAME MACB timestamps are updated on file creation / copy / volume move with the date of the operation itself but are not reliability updated on regular file operations (access, modification, rename, deletion). However as the $FILENAME MAB timestamps are updated / copied from the $STANDARD_INFORMATION MAB timestamps on file rename or volume-local file move, they are prone to false-negatives. Indeed, by timestomping the $STANDARD_INFORMATION timestamps then renaming or moving the file, the $FILENAME timestamps will be indirectly timestomped as well.

  • On file copy (between two NTFS partitions): the $STANDARD_INFORMATION MC timestamps are inherited from the original file but the $STANDARD_INFORMATION AB timestamps (and the $FILENAME MACB timestamps) are the ones of the copy itself.

  • On local file moves (on the same NTFS partition), the $STANDARD_INFORMATION C $FILENAME C timestamps are updated with the timestamp of the move). On file moves (between NTFS partitions), the $STANDARD_INFORMATION AC timestamps are updated, also with the timestamp of the move.

  • The update of the $STANDARD_INFORMATION A timestamp is unreliable and depends on the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate registry key. The following values may be encountered:

    • 0 (default on Windows XP), 80000000 (User managed), 80000002 (System managed) means that last access updates are enabled. Starting from Windows Redstone 4 (Build 1803 of 04/2018), last access updates seem to be enabled (back) by default if the system partition size is <= to 128 GiB. Starting from Windows 10 20H1 (Build 18970 of 05/2020) last access updates seem to be enabled by default independently of the system partition size.

    • 1 (default from Windows Vista to early Windows 10 versions), 80000001 (User managed), 80000003 means that last access updates are disabled.

Depending on its filename length, a given file may have one or two $FILENAME attributes:

  • file with short name will have a single $FILENAME attribute.

  • file with long name will be associated to two $FILENAME attributes, one for the long file name and a second for the MS-DOS-compatible short file name (FILENA~1.TXT for example).

Additionally, another $FILENAME attribute can be found for each file in the directory index of their directory of residency. Indeed directory are stored on NTFS partitions as B+ tree data structure with the keys, representing files and subdirectories, stored as $FILENAME attributes. MACB timestamps for each files and subdirectories of a given directory can thus be found in the directory index. The directory index are stored in NTFS Index Attribute files, also known as INDX files and named $I30 on disk.

A given file may thus be associated with either:

  • 12 timestamps: $STANDARD_INFORMATION + $FILENAME + NTFS $I30's $FILENAME.

  • 20 timestamps: $STANDARD_INFORMATION + 2 * $FILENAME + 2 * NTFS $I30's $FILENAME (duplicate timestamps for files with long name).

Registry last write timestamps

The last write / modified timestamp of a registry key correspond to the last time a write operation occurred on the key. Multiple types of write operation may trigger an update of the last write / modified timestamp of the key:

  • Addition / modification / deletion of one (or multiple) values under the key.

  • Addition / deletion of a sub-key under the key.

  • Change in the security descriptor (including Access Control List (ACL)) of the key.

The last write / modified timestamp of a registry key is the only generic timestamp available regarding registry keys.

Convert UNIX time to human readable format

Timestamps in Windows are often stored as UNIX time: 32-bit value containing the number of seconds elapsed since 1/1/1970.

Note that Active Directory generally store time values of objects (stored in each object's attributes) in Greenwich Mean Time (GMT).

The following one-liners can be used to convert an UNIX time to an human readable format:

# Display both the time in GMT and in the local time zone of the system.
w32tm.exe /ntte <UNIX_TIMESTAMP>

References

https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download

https://forensicswiki.xyz/wiki/index.php?title=MAC_times

https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/amp/

artefacts.help
SANS's Windows Time Rules poster