recycle bits

Sunday, September 8, 2019

NTFS Timestamps vs NtSetInformationFile & MoveFile

TL;DR: NtSetInformationFile, MoveFileW, NtSetInformationFile sequence overwrites all timestamps in $STANDARD_INFORMATION, and $FILE_NAME attributes.

There is no surprise here. After changing the file content, without changing the timestamps, change the file timestamps regardless of the content is a predictable next step. On first look, it's not possible - all timestamps from $FN attributes and $SI attribute modification timestamps are not accessible directly. But for some reason, Microsoft provided an easy way which looks like a feature.

The first thing is $SI attribute timestamps. Kernel API functions NtQueryInformationFile and NtSetInformationFile let you access and change all four of them, FILE_BASIC_INFORMATION:

typedef struct _FILE_BASIC_INFORMATION {
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  ULONG         FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;

including the attribute modification timestamps:

Before	After
MFT Entry Header Values: Entry: 73341 Sequence: 325 $LogFile Sequence Number: 190675918603 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 1171 (S-1-5-32-544) Last User Journal Update Sequence Number: 30364219824 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.408341400 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.408341400 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile106492.tst Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 102 Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492 5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 13497157 13497158	MFT Entry Header Values: Entry: 73341 Sequence: 325 $LogFile Sequence Number: 190676047709 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 1171 (S-1-5-32-544) Last User Journal Update Sequence Number: 30364248096 Created: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) MFT Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) Accessed: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile106492.tst Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 102 Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492 5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 13497157 13497158

Before

After

MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190675918603
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364219824
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.408341400 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.408341400 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190676047709
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364248096
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

Next thing is $FN attribute timestamps. There is an interesting "side effect" of MoveFileW function. OS propagates all four timestamps from $SI attribute to $FN attributes, including the attribute modification timestamp. Looks like, it breaks all sense of the attribute modification timestamp, but for some reason, it works this way:

Before	After
MFT Entry Header Values: Entry: 73341 Sequence: 325 $LogFile Sequence Number: 190676047709 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 1171 (S-1-5-32-544) Last User Journal Update Sequence Number: 30364248096 Created: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) MFT Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) Accessed: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile106492.tst Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Accessed: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 102 Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492 5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 13497157 13497158	MFT Entry Header Values: Entry: 73341 Sequence: 325 $LogFile Sequence Number: 190676622365 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 1171 (S-1-5-32-544) Last User Journal Update Sequence Number: 30364411688 Created: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) MFT Modified: 2019-09-07 01:50:28.453613000 (Eastern Daylight Time) Accessed: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 106496 Actual Size: 106492 Created: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) MFT Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) Accessed: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile106492.tst~21 Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 106496 Actual Size: 106492 Created: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) MFT Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) Accessed: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-6) Name: N/A Resident size: 90 Type: $FILE_NAME (48-5) Name: N/A Resident size: 108 Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492 5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 13497157 13497158

Before

After

MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190676047709
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364248096
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190676622365
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364411688
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:50:28.453613000 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst~21
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-6)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-5)   Name: N/A   Resident   size: 108
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

As a solution, we can use a simple sequence:

NtQueryInformationFile - preserve file attributes
MoveFileW - rename file to some temporal name
NtSetInformationFile - set $SI timestamps
MoveFileW - rename file to the original name and propagate $SI timestamps to $FN timestamps
NtSetInformationFile - set $SI timestamps again

Before	After
MFT Entry Header Values: Entry: 73341 Sequence: 326 $LogFile Sequence Number: 190677530353 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 829 (S-1-5-21-1565470440-1633509369-3944455776-1000) Last User Journal Update Sequence Number: 30364669728 Created: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) File Modified: 2019-09-07 02:22:25.084238000 (Eastern Daylight Time) MFT Modified: 2019-09-07 02:22:25.084238000 (Eastern Daylight Time) Accessed: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) File Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) MFT Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) Accessed: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile106492.tst Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 0 Actual Size: 0 Created: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) File Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) MFT Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) Accessed: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 102 Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492 255125 255126 255127 255128 255129 255130 255131 255132 255133 255134 255135 255136 255137 255138 255139 255140 13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 13497157 13497158	MFT Entry Header Values: Entry: 73341 Sequence: 326 $LogFile Sequence Number: 190677614018 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 829 (S-1-5-21-1565470440-1633509369-3944455776-1000) Last User Journal Update Sequence Number: 30364689880 Created: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) MFT Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) Accessed: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 106496 Actual Size: 106492 Created: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) MFT Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) Accessed: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile106492.tst Parent MFT Entry: 367786 Sequence: 290 Allocated Size: 106496 Actual Size: 106492 Created: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) MFT Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) Accessed: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-8) Name: N/A Resident size: 90 Type: $FILE_NAME (48-7) Name: N/A Resident size: 102 Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492 255125 255126 255127 255128 255129 255130 255131 255132 255133 255134 255135 255136 255137 255138 255139 255140 13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 13497157 13497158

Before

After

MFT Entry Header Values:
Entry: 73341        Sequence: 326
$LogFile Sequence Number: 190677530353
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 829  (S-1-5-21-1565470440-1633509369-3944455776-1000)
Last User Journal Update Sequence Number: 30364669728
Created:       2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
File Modified: 2019-09-07 02:22:25.084238000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 02:22:25.084238000 (Eastern Daylight Time)
Accessed:      2019-09-07 02:22:25.075237500 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
File Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
MFT Modified:  2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
Accessed:      2019-09-07 02:22:25.075237500 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
File Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
MFT Modified:  2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
Accessed:      2019-09-07 02:22:25.075237500 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
255125 255126 255127 255128 255129 255130 255131 255132 
255133 255134 255135 255136 255137 255138 255139 255140 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

MFT Entry Header Values:
Entry: 73341        Sequence: 326
$LogFile Sequence Number: 190677614018
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 829  (S-1-5-21-1565470440-1633509369-3944455776-1000)
Last User Journal Update Sequence Number: 30364689880
Created:       1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
MFT Modified:  1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
Accessed:      1998-09-06 20:25:24.029473100 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
MFT Modified:  1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
Accessed:      1998-09-06 20:25:24.029473100 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
MFT Modified:  1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
Accessed:      1998-09-06 20:25:24.029473100 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-8)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
255125 255126 255127 255128 255129 255130 255131 255132 
255133 255134 255135 255136 255137 255138 255139 255140 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

The test program takes one command-line argument - file name, there is no support for a file name wildcards:

// Forever21.cpp

#include <windows.h>
#include <winternl.h>
#include <ntstatus.h>

HANDLE hStdOutput;
CHAR cFileBuffer[65536];
DWORD nNumberOfBytesWritten;
WCHAR cFileName[32768];

extern "C" void entry() {
  if ((hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE)) != INVALID_HANDLE_VALUE) {
    int argc = 0;
    if (LPWSTR *argv = CommandLineToArgvW(GetCommandLineW(), &argc)) {
      if (1 < argc) {
        HANDLE hFile;
        if ((hFile = CreateFileW(argv[1], FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) != INVALID_HANDLE_VALUE) {
          NTSTATUS NtStatus; IO_STATUS_BLOCK IoStatusBlock; FILE_BASIC_INFORMATION FileBasicInformation;
          if ((NtStatus = NtQueryInformationFile(hFile, &IoStatusBlock, &FileBasicInformation, sizeof FileBasicInformation, FILE_INFORMATION_CLASS::FileBasicInformation)) == STATUS_SUCCESS) {
            LARGE_INTEGER FileTime; GetSystemTimeAsFileTime(reinterpret_cast<LPFILETIME>(&FileTime)); FileTime.QuadPart -= 21ll * 31'557'600 * 10'000'000;
            FileBasicInformation.CreationTime = FileBasicInformation.LastAccessTime = FileBasicInformation.LastWriteTime = FileBasicInformation.ChangeTime = FileTime;
            if (MoveFileW(argv[1], lstrcatW(lstrcpyW(cFileName, argv[1]), L"~21"))) {
              if ((NtStatus = NtSetInformationFile(hFile, &IoStatusBlock, &FileBasicInformation, sizeof FileBasicInformation, FILE_INFORMATION_CLASS::FileBasicInformation)) == STATUS_SUCCESS) {
                if (MoveFileW(cFileName, argv[1])) {
                  if ((NtStatus = NtSetInformationFile(hFile, &IoStatusBlock, &FileBasicInformation, sizeof FileBasicInformation, FILE_INFORMATION_CLASS::FileBasicInformation)) == STATUS_SUCCESS) {
                    WriteFile(hStdOutput, cFileBuffer, wsprintfA(cFileBuffer, "Forever21: \"%S\"\n", argv[1]), &nNumberOfBytesWritten, 0);
                  }
                }
              }
            }
          }
          CloseHandle(hFile);
        }
      }
      GlobalFree(argv);
    }
  }
  ExitProcess(0);
}

Windows Driver Kit is required for Visual Studio build. But MinGW-w64 is an easy alternative. For example, it's bundled with Strawberry Perl. MinGW-w64 build command line is:

gcc.exe -Wl,--gc-sections,--subsystem,console -fno-exceptions -fno-asynchronous-unwind-tables -fno-rtti -nostdlib -s -e entry -oForever21.exe -O2 Forever21.cpp -lkernel32 -luser32 -lshell32 -lntdll

x64 build: Forever21.7z, SHA1(Forever21.exe)= 72f6974085797d680c168a7151606ce4634fb152

Tuesday, September 3, 2019

NTFS Timestamps vs Memory Mapped File

TL;DR: Memory Mapped File I/O overwrites file content without changing any timestamp in $STANDARD_INFORMATION, and $FILE_NAME attributes.

During my recent job interview, a question about NTFS timestamps took me by surprise. Should admit, I never took file timestamps (without regards to NTFS) as the credential source of information about actual file creation/modification date/time. Traditionally, users, without any specific permissions, were able to alter file timestamps. For example, allegedly the very first PC virus Vienna used timestamp with 62 seconds value as an indicator of the already infected file. Timestamps may "drift" due to the timezone or daylight saving changes. In other words, for me, they were falling into the intelligence category ("if it were a fact, it wouldn't be called intelligence"). Well, enough of my preconceptions, let's check NTFS.

There are plenty of good resources about NTFS timestamps, and their usage in forensic analysis. I linked some of them which I found interesting.

NTFS Timestamps | Forensicist (you may also want to check NSRLJP from the same site)
Windows 10 Time Rules – Cyber Forensicator (make sure to read friendly comments, and skeptic comments)
SANS Institute Poster - Windows Forensic Analysis (adorable posters, require free registration)
The (in)consistency of last access timestamps (more timestamps, good and/or different - $I30 Index Attributes)
The apocryphal history of file system tunnelling (last but not least, very old-fashioned feature, echo of Windows 95 NT 3.5, and such a cute name)

Long story short, four timestamps per MFT file attribute - file creation, modification, access (in most cases not updated by OS), and modification of attribute itself. One $STANDARD_INFORMATION (later $SI) attribute, and at least one $FILE_NAME (later $FN) attribute per file, so at least eight timestamps per file. User mode Windows API (like GetFileTime and SetFileTime) let you get or set only creation, modification, and access timestamps in the $SI attribute only.

As the most simple thing first, I am interested in the modification of an already existing file. Apparently, there is no legit way (without direct disk access, OS exploit, etc.) to change the file content without altering the NTFS timestamps or metadata. I guess it shouldn't be a surprise what my first bet for this task is the Memory Mapped File I/O. Just as a short intro, Memory Mapped File I/O is the part of user mode Windows API which let you map a file (or part of it) into the process memory, so all changes in the memory will be reflected in a file on disk (at some moment). It's the fascinating feature (especially for a lazy programmer) with many applications (and implications), and there are some suggestions what it may do the trick (at least sometimes).

I did the preliminary ~~research~~ test on Windows 7 x64 build 7601, with subsequent verification on Windows 10 x64 build 1907. The file content modification is "x = x + 127" for every byte of file or its part. There are two significant observations:

Memory Mapped File I/O lets you overwrite file content without changing any timestamp in the $SI, and $FN attributes. During tests with the file size up to 200MB, I didn't come across any case of timestamp change.
There is the odd situation with the Log Sequence Number (LSN) value. If you don't overwrite the very last memory page (the very last "FileSize % (remainder) PageSize (4096 by default)" bytes of the file), the LSN value stays unchanged. The test program is trying to skip the very last page unless file size is less than 4096.

I guess, the obvious todos are: check LSN, and USN journal records for the related file change operations; check the same scenarios with the Large-Page enabled (starting with Windows 10, build 1703).

The test program takes one command-line argument - file name, there is no support for a file name wildcards. In case of success, the output is: "file name": altered region size(file size).

// TouchFile.cpp

#include <Windows.h>

HANDLE hStdOutput;
CHAR cFileBuffer[65536];
DWORD nNumberOfBytesWritten;

int main() {
  if ((hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE)) != INVALID_HANDLE_VALUE) {
    int argc = 0;
    if (LPWSTR * argv = CommandLineToArgvW(GetCommandLineW(), &argc)) {
      if (1 < argc) {
        HANDLE hFile;
        if ((hFile = CreateFileW(argv[1], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) != INVALID_HANDLE_VALUE) {
          if (HANDLE hFileMappingObject = CreateFileMappingW(hFile, 0, PAGE_READWRITE, 0, 0, 0)) {
            if (LPVOID lpBaseAddress = MapViewOfFile(hFileMappingObject, FILE_MAP_WRITE, 0, 0, 0)) {
              DWORD dwFileSize = GetFileSize(hFile, 0), dwTouchSize = 4096 < dwFileSize ? dwFileSize & ~4095 : dwFileSize;
              for (DWORD i = 0; i < dwTouchSize; i++) reinterpret_cast<BYTE*>(lpBaseAddress)[i] += 127;
              UnmapViewOfFile(lpBaseAddress);
              WriteFile(hStdOutput, cFileBuffer, wsprintfA(cFileBuffer, "\"%S\": %u(%u)\n", argv[1], dwTouchSize, dwFileSize), &nNumberOfBytesWritten, 0);
            }
            CloseHandle(hFileMappingObject);
          }
          CloseHandle(hFile);
        }
      }
      GlobalFree(argv);
    }
  }
  ExitProcess(0);
}

x64 build: TouchFile.7z, SHA1(TouchFile.exe)= c6f1f1c0adfb2bb7fdefc69165f765ebed55cbe8

Verification configuration: HP EliteBook 8730w, RAM 8GB, HDD OCZ-VERTEX4 512GB; Windows 10 x64 build 1907, clean install, default settings, all recommended updates (2019-08-30), offline user, no network connection; USB boot: Kali Linux Live 2019.2 (forensic mode), The Sleuth Kit 4.6.5. Verification scenario:

Boot Windows: "xcopy /e /i ..." folder with test files (file size: 4095, 4096, 3MB), "certutil -hashfile ..." for file SHA1
Boot Linux: "fls -i raw -f ntfs /dev/sda2 ...", "istat -i raw -f ntfs /dev/sda2 ..." for file metadata
Boot Windows: "TouchFile ..." for file content overwrite
Boot Linux: "istat -i raw -f ntfs /dev/sda2 ..." for file metadata
Boot Windows: "certutil.exe -hashfile ..." for file SHA1

Before	After
SHA1 C:\TestFolder\TestFile4095.tst 4c1732511805221435db376b8cbad7d0debf72cf MFT Entry Header Values: Entry: 124888 Sequence: 13 $LogFile Sequence Number: 537362867 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 101740432 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 06:57:40.000000000 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 0 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile4095.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 0 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 98 Type: $DATA (128-4) Name: N/A Non-Resident size: 4095 init_size: 4095 33536	SHA1 C:\TestFolder\TestFile4095.tst 0dd646c5f8e3f61fa7cad72a68de06cc50d063c8 MFT Entry Header Values: Entry: 124888 Sequence: 13 $LogFile Sequence Number: 537882948 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 101740432 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 06:57:40.000000000 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~1.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 0 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile4095.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 0 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 98 Type: $DATA (128-4) Name: N/A Non-Resident size: 4095 init_size: 4095 33536
SHA1 C:\TestFolder\TestFile4096.tst 2b4104c0956ad137b3925920c7b8e4b3fd1df275 MFT Entry Header Values: Entry: 124893 Sequence: 11 $LogFile Sequence Number: 537362895 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 101740928 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 06:57:34.000000000 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~2.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 4096 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile4096.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 4096 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 98 Type: $DATA (128-1) Name: N/A Non-Resident size: 4096 init_size: 4096 100611	SHA1 C:\TestFolder\TestFile4096.tst ba31ebd88c9abf4462da0ee43228720ba7775098 MFT Entry Header Values: Entry: 124893 Sequence: 11 $LogFile Sequence Number: 537362895 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 101740928 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 06:57:34.000000000 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~2.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 4096 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile4096.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 4096 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 98 Type: $DATA (128-1) Name: N/A Non-Resident size: 4096 init_size: 4096 100611
SHA1 C:\TestFolder\TestFile3516592.tst f87e2398de1c05a8c7fe7cd97097cdc1b69da6ab MFT Entry Header Values: Entry: 124894 Sequence: 11 $LogFile Sequence Number: 537367229 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 101741440 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 06:59:46.000000000 (UTC) MFT Modified: 2019-08-31 07:45:13.164794500 (UTC) Accessed: 2019-08-31 07:45:13.164794500 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~3.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 3518464 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile3516592.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 3518464 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 104 Type: $DATA (128-1) Name: N/A Non-Resident size: 3516592 init_size: 3516592 4363616 4363617 4363618 4363619 4363620 4363621 4363622 4363623 ... 4364464 4364465 4364466 4364467 4364468 4364469 4364470 4364471 4364472 4364473 4364474	SHA1 C:\TestFolder\TestFile3516592.tst 8623d77cdd8b00e4966ba1056319a1db61aa8ce1 MFT Entry Header Values: Entry: 124894 Sequence: 11 $LogFile Sequence Number: 537367229 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 101741440 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 06:59:46.000000000 (UTC) MFT Modified: 2019-08-31 07:45:13.164794500 (UTC) Accessed: 2019-08-31 07:45:13.164794500 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~3.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 3518464 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile3516592.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 3518464 Actual Size: 0 Created: 2019-08-31 07:45:12.772832300 (UTC) File Modified: 2019-08-31 07:45:12.772832300 (UTC) MFT Modified: 2019-08-31 07:45:12.772832300 (UTC) Accessed: 2019-08-31 07:45:12.772832300 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 104 Type: $DATA (128-1) Name: N/A Non-Resident size: 3516592 init_size: 3516592 4363616 4363617 4363618 4363619 4363620 4363621 4363622 4363623 ... 4364464 4364465 4364466 4364467 4364468 4364469 4364470 4364471 4364472 4364473 4364474
SHA1 C:\TestFolder\TestFile235281024.tst eb541e876895e8595e4fcb7322c183e7cabad382 MFT Entry Header Values: Entry: 88106 Sequence: 10 $LogFile Sequence Number: 907469416 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 113449752 Created: 2019-09-03 09:14:18.591216000 (UTC) File Modified: 2019-09-01 19:36:28.000000000 (UTC) MFT Modified: 2019-09-03 09:14:44.548521800 (UTC) Accessed: 2019-09-03 09:14:44.548521800 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~4.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 235282432 Actual Size: 0 Created: 2019-09-03 09:14:18.591216000 (UTC) File Modified: 2019-09-03 09:14:18.591216000 (UTC) MFT Modified: 2019-09-03 09:14:18.591216000 (UTC) Accessed: 2019-09-03 09:14:18.591216000 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile235281024.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 235282432 Actual Size: 0 Created: 2019-09-03 09:14:18.591216000 (UTC) File Modified: 2019-09-03 09:14:18.591216000 (UTC) MFT Modified: 2019-09-03 09:14:18.591216000 (UTC) Accessed: 2019-09-03 09:14:18.591216000 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 108 Type: $DATA (128-1) Name: N/A Non-Resident size: 235281024 init_size: 235281024 3959582 3959583 3959584 3959585 3959586 3959587 3959588 3959589 ... 4017014 4017015 4017016 4017017 4017018 4017019 4017020 4017021 4017022 4017023	SHA1 C:\TestFolder\TestFile235281024.tst 66817762fe8f32e065ea8c824367bdc8f47a3093 MFT Entry Header Values: Entry: 88106 Sequence: 10 $LogFile Sequence Number: 907469416 Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Security ID: 2213 (S-1-5-21-2973299112-457765261-1731413466-1001) Last User Journal Update Sequence Number: 113449752 Created: 2019-09-03 09:14:18.591216000 (UTC) File Modified: 2019-09-01 19:36:28.000000000 (UTC) MFT Modified: 2019-09-03 09:14:44.548521800 (UTC) Accessed: 2019-09-03 09:14:44.548521800 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TESTFI~4.TST Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 235282432 Actual Size: 0 Created: 2019-09-03 09:14:18.591216000 (UTC) File Modified: 2019-09-03 09:14:18.591216000 (UTC) MFT Modified: 2019-09-03 09:14:18.591216000 (UTC) Accessed: 2019-09-03 09:14:18.591216000 (UTC) $FILE_NAME Attribute Values: Flags: Archive Name: TestFile235281024.tst Parent MFT Entry: 78985 Sequence: 8 Allocated Size: 235282432 Actual Size: 0 Created: 2019-09-03 09:14:18.591216000 (UTC) File Modified: 2019-09-03 09:14:18.591216000 (UTC) MFT Modified: 2019-09-03 09:14:18.591216000 (UTC) Accessed: 2019-09-03 09:14:18.591216000 (UTC) Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILE_NAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 108 Type: $DATA (128-1) Name: N/A Non-Resident size: 235281024 init_size: 235281024 3959582 3959583 3959584 3959585 3959586 3959587 3959588 3959589 ... 4017014 4017015 4017016 4017017 4017018 4017019 4017020 4017021 4017022 4017023