Search K
Appearance
Appearance
Other ways to support HackTricks:
An attacker may be interested in changing the timestamps of files to avoid being detected.
It's possible to find the timestamps inside the MFT in attributes $STANDARD_INFORMATION
__ and __ $FILE_NAME
.
Both attributes have 4 timestamps: Modification, access, creation, and MFT registry modification (MACE or MACB).
Windows explorer and other tools show the information from $STANDARD_INFORMATION
.
This tool modifies the timestamp information inside $STANDARD_INFORMATION
but not the information inside $FILE_NAME
. Therefore, it's possible to identify suspicious activity.
The USN Journal (Update Sequence Number Journal) is a feature of the NTFS (Windows NT file system) that keeps track of volume changes. The UsnJrnl2Csv tool allows for the examination of these changes.
The previous image is the output shown by the tool where it can be observed that some changes were performed to the file.
All metadata changes to a file system are logged in a process known as write-ahead logging. The logged metadata is kept in a file named **$LogFile**
, located in the root directory of an NTFS file system. Tools such as LogFileParser can be used to parse this file and identify changes.
Again, in the output of the tool it's possible to see that some changes were performed.
Using the same tool it's possible to identify to which time the timestamps were modified:
$STANDARD_INFORMATION
and $FILE_NAME
comparison โAnother way to identify suspicious modified files would be to compare the time on both attributes looking for mismatches.
NTFS timestamps have a precision of 100 nanoseconds. Then, finding files with timestamps like 2010-10-10 10:10:00.000:0000 is very suspicious.
This tool can modify both attributes $STARNDAR_INFORMATION
and $FILE_NAME
. However, from Windows Vista, it's necessary for a live OS to modify this information.
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the reminding half is never going to be used until the file is deleted. Then, it's possible to hide data in this slack space.
There are tools like slacker that allow hiding data in this "hidden" space. However, an analysis of the $logfile
and $usnjrnl
can show that some data was added:
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this kind of tool can save the content obfuscated or even encrypted.
This is a tool that will turn off the computer if any change in the USB ports is detected.
A way to discover this would be to inspect the running processes and review each python script running.
These distros are executed inside the RAM memory. The only way to detect them is in case the NTFS file-system is mounted with write permissions. If it's mounted just with read permissions it won't be possible to detect the intrusion.
https://github.com/Claudio-C/awesome-data-sanitization
It's possible to disable several windows logging methods to make the forensics investigation much harder.
This is a registry key that maintains dates and hours when each executable was run by the user.
Disabling UserAssist requires two steps:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled
, both to zero in order to signal that we want UserAssist disabled.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<hash>
.This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices.
regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters
EnablePrefetcher
and EnableSuperfetch
Whenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to update a timestamp field on each listed folder, called the last access time. On a heavily used NTFS volume, this can affect performance.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
.NtfsDisableLastAccessUpdate
. If it doesnโt exist, add this DWORD and set its value to 1, which will disable the process.All the USB Device Entries are stored in Windows Registry Under the USBSTOR registry key that contains sub keys which are created whenever you plug a USB Device into your PC or Laptop. You can find this key here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
. Deleting this you will delete the USB history.
You may also use the tool USBDeview to be sure you have deleted them (and to delete them).
Another file that saves information about the USBs is the file setupapi.dev.log
inside C:\Windows\INF
. This should also be deleted.
List shadow copies with vssadmin list shadowstorage
Delete them running vssadmin delete shadow
You can also delete them via GUI following the steps proposed in https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html
To disable shadow copies steps from here:
It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot
cipher /w:C
This will indicate cipher to remove any data from the available unused disk space inside the C drive.for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f
WEvtUtil.exec clear-log
or WEvtUtil.exe cl
fsutil usn deletejournal /d c:
Other ways to support HackTricks: