3.4 - Extracting and analysing NTFS Filesystem

3.4 - Extracting and analysing NTFS Filesystem #

Obtaining the MFT #

FTK Imager #

  1. As before, open FTK Imager and add your evidence item.
  2. Click on the expand + symbol to the left of the evidence item. Do this again until you see the root directory and its contents.
  3. There is one $MFT file in the root of each volume (partition). In this case its just for the C: drive.

Parsing the MFT with EZTools #

  1. Open a PowerShell window as an Administrator
  2. Cd to :\EZTools\Get-ZimmermanTools\ (or the location you downloaded them to).
  3. We will use the tool called “MFTECmd.exe” to parse the MFT and create a csv of the output we can read.
PS F:\EZTools\Get-ZimmermanTools> .\MFTECmd.exe -f "D:\`$MFT" --csv F:\MUS2019CTF\Exported\ --csvf MUS-CTF-19-DESKTOP-001-002.csv
  1. You should now have a csv file ready for review.
  2. You can review in Timeline Explorer.

What is the name of the file associated with MFT entry number 102698? #

  1. Column A of your spreadsheet should have the header “EntryNumber”.
  2. Select the down arrow for the filter menu.
  3. Type in 102698 and click OK.
  4. The one line left will be the file you are after.

There is a column called Created0x10 and another called Created0x30. You will notice that there are two dates for LastModified, LastRecordChange and LastAccess as well. Why is that?

[!NOTE] Flag: TeamViewer_Setup.exe  

What is the MFT sequence number associated with the file “\Users\Administrator\Desktop\FTK_Imager_Lite_3.1.1\FTK Imager.exe”? #

  1. Clear the filter from the EntryNumber column.
  2. Filter on Column G for the filename.
  3. We’ll see the SequenceNumber is 4.

[!NOTE] Flag: 4

What is the file name that represented MFT entry 60725 with a sequence number of 10? #

  1. Clear the filter from EntryNumber
  2. Now when we filter on 60725 we get the SequenceNumber 15. But we want 10.

So we need to go and look at the USNJrnl instead.

Parse the USNJrnl in Autopsy #

We can parse the USNJrnl in Autopsy. This usually takes quite a long to complete.

  1. In Autopsy go to the Tools menu and select Run Ingest Modules and choose the evidence file.
  2. Ingest Profile Selection > click next
  3. Deselect All then scroll to find USN Parser.
  4. The select finish.
  5. Walk away and do something else.
  6. When it’s done, under the Data Artifacts Tree there should be “NTFS UsrJrnl entries". Click on that, wait some more.
  7. We’ll want to start by sorting my “MFT_Reference” and look for 60725, we’ll then have each of the files and the sequence numbers.
  8. Find the file associated with the sequence number 10.

It is highly likely that Autopsy is going to fail at point 5.

[!NOTE] Flag: telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new

Which file name represents the USN record where the USN number is 546416480? #

  1. Now we’ll want to sort on the USN column and find the corresponding entry.

[!NOTE] Flag: TransportSecurity~RF134e6674.TMP