Learning by practicing: Beginning File System Forensics

Now that the drive has been mounted and the file metadata has been exported as seen in the previous post, let's poke at some files of "interest". The file of interest is related to my SANS SEC582 - Mastering TShark Packet Analysis class.

Let's assume we have an indicator of compromise. That indicator being a suspicious file name. We can then use the "grep" utility to search the previously created "linux_mint_files_export.txt" to see if we get a hit. Let's try that. At the same time, let's pipe the results into "wc --lines" to see how many entries were returned.

kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt | wc --lines
22

Above it looks like 22 results were returned. Taking a look at those entries.

kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf

As you may remember in the previous post, the columns above are organized as follow: last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)

Considering the preceding, let's instead sort this from first creation date and time, to last creation date and time. We will put the most recent date at the top. To achieve this, we will use the previous output, in conjunction with "sort" using a "--field-separator" of pipe "|". We will also use fields 1 and 2 as our keys and then "--reverse" the output. This is how we are able to achieve our objective.

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse
05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs

Now that we have the above, we can make some assumptions thus allowing us to come to some conclusions.

1. The activity surrounding the IoC for string "SEC582" started on May 13, 2020 around 08:31:58

2. On May 13, 2020 at 08:31:58 local time the user root, created a file "SANS SEC582 - Labs and Challenges PDFs".

3. This file was then modified on the same date at 08:32:00

4. However, as we look closer, we see what seems like two sub directories "/Day 1" and "/Day 2" were created. Filtering these out so we can focus closer on the times, we see:

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse | grep --invert-match --perl-regexp "\.pdf$"
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs

Paying closer attention to the time we see it seems like the two directories have an access date and time of "05/12/2020|20:00:00.0000000000" and "05/12/2020|20:00:00.0000000000" respectively. How could this be? How can the sub directories have a date and time earlier than the parent directory which has "05/13/2020|08:31:58.8300000000"? Could it be this parent folder was created and then the sub folders were copied to this destination?

5. Looking at the other 19 entries, we can say from a creation date the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf

" was created on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was created on May 14, around 05:52.

6. Looking at the other 19 entries, we can say from a modification date and time, the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 14, around 06:39.

7. Finally, I see the access times of all 19 files have May 13, 2020 at 20:00. Does the proximity with this timing help to reaffirm the conclusion that these files might have been copied?

Arite!, I think that is enough for this post.

Ohh and by the way, hope to see you in one of my SANS SEC582 Mastering TShark Packet Analysis class. :-) If you cannot make that one, come hang out with me in the SEC503 or SEC504 class. :-) :-)

Post in this series:

Beginning File System Forensics - Acquiring Disk Image
Beginning File System Forensics - mounting and learning about the drive
Beginning File System Forensics - Timeline analysis

References:

http://www.dmares.com/maresware/articles/filetimes.htm

http://www.digitalmountain.com/recent_article_1

https://www.tcdi.com/mac-times-in-computer-forensics/

https://www.defcon.org/images/defcon-19/dc-19-presentations/Lenik/DEFCON-19-Lenik-MAC%28b%29Daddy.pdf