BFT Writeup

Prepared by: Cyberjunkie & Sebh24

Machine Author(s): Cyberjunkie

Difficulty: Very Easy

Scenario
In this Lab, you will be made familiar with MFT forensics. You will get
introduced to well known tools and methodology to analyze MFT artifacts to
identify malicious activity. You will use MFTeCMD tool to parse the provided MFT
file, TimeLine Explorer to open and analyze the results from parse MFT and Hex
editor to recover file contents from MFT as part of our analysis.

Tools used :

- MfteCMD
- TimeLineExplorer
- HxD hex editor
Artefacts provided

1-2024-02-13T164623_MFT_TRIAGE.zip (zip file), SHA1 :

5A9BD3D02E0DC0732AAF882879FB6AF02795E1B9

Skills Learnt

NTFS Forensics

Timeline creation

File Recovery

Disk Forensics

Contextual Analysis

Tags

DFIR

Windows Forensics

Initial Analysis:
We have been provided with only one file for analysis, an Master File Table (MFT). Lets begin with
detailing what an MFT is and why is is extremely important and useful for Windows Forensics. We
will also detail the fields that exist within the MFT and the use cases for each field.

Master File Table

The Master File Table (MFT) is a critical component within the NTFS (New Technology File System),
which is the file system used by Windows operating systems. The MFT is essentially a database
that stores metadata about every file and directory on an NTFS volume. Its role and structure
make it a fundamental resource in digital forensics, particularly when dealing with Windows-based
environments.

What is the MFT?

The MFT records details about each file and directory on an NTFS drive. Each file or directory is
represented by an entry in the table, referred to as an MFT entry. These entries are assigned a
unique identifier, known as the MFT record number. The MFT itself is structured as a file on the
NTFS volume but is special in that it describes all other files, including itself and the metadata
about the volume.

Why is the MFT Useful for Forensics?

1. Comprehensive Data Storage: The MFT provides a detailed record of each file, including
timestamps, permissions, and data content locations, making it invaluable for forensic
investigations.

2. Recovery of Deleted Files: Even when files are deleted, their MFT entries might not be
immediately reused. This allows forensic analysts to recover details about the deleted files,
which can be crucial in legal contexts.

3. Tracking File Modifications: The MFT includes multiple timestamps that record different
types of file access and modifications. This can help construct a timeline of activities on a
system, an essential aspect of forensic analysis.
4. Detecting Malware and Unauthorized Access: Since the MFT records file creation and
modification details, unusual changes detected in these entries can indicate unauthorised
access or malware activity.

1. Detailed Breakdown of MFT Fields

1. $STANDARD_INFORMATION

Creation Time: The date and time when the file or directory was created.

Modification Time: The date and time when the file or directory was last modified.

Access Time: The date and time when the file or directory was last accessed.

Entry Modified Time: The date and time when the MFT entry itself was last
modified.

Use Case: These timestamps are vital for timeline analysis to determine the
sequence of user actions and file usage.

2. $FILE_NAME

File Name: The name of the file or directory.

Parent Directory: The MFT record number of the directory in which the file
resides.

Additional Timestamps: Similar to $STANDARD_INFORMATION, but specific to this

attribute and sometimes used as a fallback.

Use Case: This attribute is used to confirm the integrity of file paths and names in
the system, which is crucial for tracking user movements and detecting
unauthorised changes.

3. $DATA

Actual Data or Pointer: Either the data itself for smaller files or a pointer to the
data for larger files.

Use Case: Direct analysis of file contents and data recovery, especially important in
cases involving data theft or unauthorized data manipulation.

4. $LOGGED_UTILITY_STREAM

Transactional Data: Holds data related to transactional NTFS (TxF), which logs
temporary file state changes.

Use Case: Can be used to track changes made during a transaction, useful in cases
of system crashes or unexpected shutdowns to determine interim states.

5. $BITMAP

Cluster Allocation: Maps which clusters are in use by the file.

Use Case: Useful for recovering deleted files or reconstructing file data from
clusters not overwritten by new data.

6. $SECURITY_DESCRIPTOR

Owner ID: Identifies who owns the file.

Permissions: Details what permissions are attached to the file (who can read, write,
execute, etc.).

Audit Settings: Specifies what operations (like access or changes) are logged by the
system.
 Use Case: Critical for determining access rights and detecting potential security
breaches where permissions may have been altered.
7. $VOLUME_INFORMATION (specific to the MFT entry for the volume itself)

Volume Serial Number: Unique identifier for the volume.

Flags: System flags related to the volume, such as whether it’s dirty (improperly
unmounted).

Use Case: Useful in multi-disk systems to link files and activities to specific volumes,
essential in systems recovery and forensic analysis across multiple drives.

8. $INDEX_ROOT and $INDEX_ALLOCATION

Index Entries: Used in directories to index contained files for quick access.

Use Case: Forensically important for reconstructing directory structures and

understanding how data was organized and accessed, particularly in complex
investigations involving numerous files and directories.

Use Cases for MFT Fields

Reconstructing User Activities: By examining the timestamps and file paths in the MFT,
forensic analysts can reconstruct user activities and file usage patterns.

Recovering Deleted Content: Analysts can locate records of deleted files in the MFT for
potential recovery and analysis, crucial for understanding what was present on a disk before
its current state.

Identifying Malicious Changes: Changes in file sizes, paths, or timestamps that don't align
with known user activities can suggest tampering or malware presence.

In summary, the MFT is an indispensable resource in Windows forensics due to its detailed and
comprehensive logging of file information. This makes it a potent tool for legal investigations,
security incident responses, and in-depth system analysis. Understanding and interpreting the
fields within an MFT can reveal a wealth of information about the state and history of a file system.

There are two methods of opening our MFT file, one is utilising MFTExplorer, which can take a
considerable amount of time to load. The preferred method for our analysis today is to convert
our MFT into a CSV file using MFTeCMD and then import it into TimeLine Explorer. Please see
below for a description of each of these tools:

Timeline Explorer: Timeline Explorer is a tool designed for viewing, filtering, and analysing
timelines during digital forensic investigations. It is often used to review large sets of event
logs, file system records, and other timestamped data extracted during a forensic analysis.

MFTeCMD: MFTeCMD is a tool developed by Eric Zimmerman that specializes in parsing the
Master File Table from NTFS file systems. It extracts detailed information stored in the MFT
entries, presenting them in a more digestible and analyzable format.

MFTExplorer: MFTExplorer is another forensic tool used to examine the MFT in a detailed and
user-friendly manner. Similar in purpose to MFTeCMD but often with a focus on a graphical
user interface, MFTExplorer allows forensic analysts to navigate and inspect individual MFT
records easily.

Lets prep our MFT for analysis by converting it into a CSV, ready to import it into TimeLine
Explorer.

MFTECMD.exe -f "C:\Your\Directory\$MFT" --csv "C:\Your\Output\Directory\" ---csvf

mft.csv
We are presented with a results file, as detailed below:

We can now open TimeLine explorer and import the mft.csv file.

Questions :
Q1 Simon stark was targeted by attackers on 13th February. He downloaded a zip file from a link he
received in an email. What was the name of the ZIP File he downloaded from the link?

Hint : Open the parsed results from MFTeCMD in timeline explorer. You can add a filter for file extension
as zip and In Created0x10/0x30 add a filter for date mentioned in the scenario.

The task has provided us a date, which could usually provided in an initial SOC ticket (as an
example). We will now use the filter feature in each column of TimeLine explorer to filter for a
specified date. As detailed below, Timeline Explorer automatically picks up on the date field.
We select the date of our choosing, in this case the 13th February 2024 and hit ok. The reason the
21st February is highlighted, is due to this being the date we conduct the analysis.

Viewing the bottom left of our open Window we can confirm the filter has been applied, as
detailed below:

To further add to our filter, we can now filter based on the extension. The task confirms that a zip
file was infact downloaded, so we can apply the "zip" filter to the Extension field.

The results once automatically filtered showcase 3 zip files:

Stage-20240213T093324Z-001.zip

invoices.zip

KAPE.zip, which can be discounted as our artefact collection.

After applying these filters, we identify two ZIP files (discounting the KAPE.zip), one of which,
Stage-20240213T093324Z-001.zip , is determined to be the initial download due to its parent
path reference in another ZIP file.

Answer: Stage-20240213T093324Z-001.zip

Q2 See Zone Id Contents for the zip file downloaded initially. This field gives us the HostUrl from where
the file was downloaded. This can act as a good piece of IOC in our investigation/analysis. What is the
full Host URL from where this zip file was downloaded?

In the process of identifying the initial ZIP file, we aim to uncover the URL from which it was
downloaded. When files are downloaded from the internet using a browser, Alternate Data
Streams (ADS) are generated for the downloaded file, containing the URL of the download source.

In the context of Windows NTFS (New Technology File System), an Alternate Data Stream (ADS) is a
feature that allows data to be forked into existing files without altering the original file content or
size visible to the users. This feature is derived from the Macintosh Hierarchical File System's
ability to store resource forks, which could hold metadata or icons separate from file data. ADS
can be used to store additional information associated with a file or directory.

To proceed, we remove the filter for ZIP files and focus on locating ADS files.

We just typed stage in Filename as a filter, and we saw all file references with this name. We are
interested in the file with the extension "Identifier".
This is the host URL from where this file was downloaded. From this we can assume that Google
drive was used to host this zip file.

Answer:https[:]//storage.googleapis.com/drive-bulk-export-
anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-
e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser

Q3 What is full path and name of the malicious file which executed malicious code and connected to an
C2 Server?

Hint : Identify any suspicious file related to the ZIP file downloaded initially. Look for the MFT records
with suspicious extensions and around the time of ZIP download.

As the hint suggests, we need to search for files created around the same time as the initial ZIP file
named "Stage." For this, we'll remove the filename filter we applied in the previous step and
instead apply a filter for the keyword "stage" in the Parent Path column.

Once we adjust our focus to the Parent Path column and input the keyword "stage," we
immediately spot a batch file named Invoice.bat . This file stands out as batch files (.bat) are
commonly used for executing commands on Windows systems, often making them a target for
misuse in cyber attacks. By examining the Parent Path details provided, we can ascertain the full
path of the file, which is critical for further analysis and verification steps in our forensic
investigation.

Answer: C:\Users\simon.stark\Downloads\Stage-20240213T093324Z-
001\Stage\invoice\invoices\invoice.bat

Q4 Analyse the Created0x30 Timestamp for the identified file from previous Question. When was this File
created on disk?

Let's examine the timestamp of this file. By examining the creation time, we can integrate this
information into our timeline, which will aid investigators in constructing a broader understanding
of the events that occurred.

Analysing the timestamp of the file is crucial as it provides a specific point in the forensic timeline
when the file was created on the system. This timestamp is essential for understanding the
sequence of events leading up to and following the security incident. By adding this timestamp to
our comprehensive timeline, investigators can correlate this event with other activities on the
system, potentially identifying related malicious actions or pinpointing when the system's security
was compromised.

Answer: 2024-02-13 16:38:39

Q5 Finding the offset of an MFT record is helpful in many use cases during investigations. Find the offset
in hex of the stager file from Question3.

Hint : In mft records, find the Entry Number value for the file in question. Multiply that number with
1024(since this is size of each record).The answer you get is the offset in Decimal. Convert it to hex and
answer.

To determine the offset of the stager file, the invoice.bat file, we start by locating its MFT Entry
Number, which is 23436.

Since each MFT entry occupies 1024 bytes, we multiply this entry number by 1024 to calculate the
file's offset in bytes.
The calculation gives us 23998464 as the offset in decimal format. For use in tools that necessitate
hexadecimal values, such as hex editors, we convert this decimal number to hexadecimal. An
online conversion tool can be utilized for this purpose, yielding a hexadecimal offset of 16E3000 .
This hexadecimal address is essential for forensic tools to directly navigate to and analyze the file's
raw data within the MFT.

Here's the offset in hexadecimal.

Answer: 16E3000

Q6: Each MFT record is 1024 bytes in size. If a file on disk has smaller size than 1024 bytes, they can be
stored directly on MFT File itself. These are called MFT Resident files. During Windows File system
Investigation, its crucial to look for any malicious/suspicious files that may be resident in MFT. This way
we can find contents of malicious files/scripts. Find the contents of The malicious stager identified in
Question3 and answer with the C2 IP and port.

Hint : Open the MFT file in any hex editor tool of your choice. Then either search for or Jump to the offset
identified in previous question and you will have the stager file contents there. For example in HxD(Hex
editor) tool , you can go to search tab and click "go to" button which will open up a prompt where you
can input either hex or decimal offset and it will take you to relevant location
Before we continue with concluding our investigation, a quick point to note about the size of the
file that can be seen in an MFT. The size of files that can be stored directly within the Master File
Table (MFT) — known as resident files — varies depending on the file, the system, and the amount
of metadata stored in the MFT. Generally, the more metadata associated with a file, the less space
remains for storing the file's data itself within the MFT. While there is no strict upper limit, typically
files smaller than approximately 900 bytes can be fully contained within their MFT record.

To conclude our investigation, we need to locate and examine the contents of the invoice.bat
file directly from the Master File Table (MFT) using a hex editor. This will allow us to uncover the
command and control (C2) IP address and port number encoded within the file.

We have verified that the batch file is significantly smaller than the approximate upper limit of 900
bytes, confirming it as an MFT Resident file. This means that the contents of the file are stored
within the MFT itself, rather than on the disk.

We begin by opening the MFT file in a hex editor, such as HxD, which is a tool that enables us to
view and edit the raw hexadecimal data of a file.
Using the hexadecimal offset 16E3000 , determined from our earlier calculations, we use the "Go
To" feature in HxD. This function allows us to jump directly to the specific part of the MFT where
the invoice.bat file's data is stored. By entering this hexadecimal value into the Go To prompt,
the editor will automatically bring us to the correct location within the MFT.

Once at the specified offset, we confirm that we're looking at the correct file data by checking for
identifiable information such as the file name ( invoice.bat ) displayed in the hex editor.
Alongside the file name, we look for any executable code or scripts. In this case, we find a
PowerShell command that is part of a one-liner script. This script includes the IP address and port,
which indicates where the malware attempts to connect for receiving further instructions or
exfiltrating data.
By analysing the PowerShell script embedded within the batch file, we can extract the specific IP
address and port number used by the malware to communicate with its command and control
server. These details are crucial for understanding the scope of the threat and potentially blocking
further malicious communications.

Answer: 43.204.110.203:6666

This process demonstrates the forensic value of examining the contents of files resident in the
MFT, particularly when dealing with small files that may contain malicious code. By utilising a hex
editor to navigate to and inspect the exact location of these files within the MFT, investigators can
retrieve critical information that aids in cyber threat analysis and mitigation.