Sunday, September 8, 2019

NTFS Timestamps vs NtSetInformationFile & MoveFile

TL;DR: NtSetInformationFile, MoveFileW, NtSetInformationFile sequence overwrites all timestamps in $STANDARD_INFORMATION, and $FILE_NAME attributes.

There is no surprise here. After changing the file content, without changing the timestamps, change the file timestamps regardless of the content is a predictable next step. On first look, it's not possible - all timestamps from $FN attributes and $SI attribute modification timestamps are not accessible directly. But for some reason, Microsoft provided an easy way which looks like a feature.

The first thing is $SI attribute timestamps. Kernel API functions NtQueryInformationFile and NtSetInformationFile let you access and change all four of them, FILE_BASIC_INFORMATION:

typedef struct _FILE_BASIC_INFORMATION {
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  ULONG         FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;

including the attribute modification timestamps:

BeforeAfter
MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190675918603
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364219824
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.408341400 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.408341400 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158 

MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190676047709
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364248096
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

Next thing is $FN attribute timestamps. There is an interesting "side effect" of MoveFileW function. OS propagates all four timestamps from $SI attribute to $FN attributes, including the attribute modification timestamp. Looks like, it breaks all sense of the attribute modification timestamp, but for some reason, it works this way:

BeforeAfter
MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190676047709
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364248096
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
File Modified: 2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:29:07.401341000 (Eastern Daylight Time)
Accessed:      2019-09-07 01:29:07.401341000 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158 

MFT Entry Header Values:
Entry: 73341        Sequence: 325
$LogFile Sequence Number: 190676622365
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1171  (S-1-5-32-544)
Last User Journal Update Sequence Number: 30364411688
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  2019-09-07 01:50:28.453613000 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst~21
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
File Modified: 1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
MFT Modified:  1998-09-06 19:34:03.473275400 (Eastern Daylight Time)
Accessed:      1998-09-06 19:34:03.473275400 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-6)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-5)   Name: N/A   Resident   size: 108
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
5389569 5389570 5389571 5389572 5389573 5389574 5389575 5389576 
5389577 5389578 5389579 5389580 5389581 5389582 5389583 5389584 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

As a solution, we can use a simple sequence:

  1. NtQueryInformationFile - preserve file attributes
  2. MoveFileW - rename file to some temporal name
  3. NtSetInformationFile - set $SI timestamps
  4. MoveFileW - rename file to the original name and propagate $SI timestamps to $FN timestamps
  5. NtSetInformationFile - set $SI timestamps again
BeforeAfter
MFT Entry Header Values:
Entry: 73341        Sequence: 326
$LogFile Sequence Number: 190677530353
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 829  (S-1-5-21-1565470440-1633509369-3944455776-1000)
Last User Journal Update Sequence Number: 30364669728
Created:       2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
File Modified: 2019-09-07 02:22:25.084238000 (Eastern Daylight Time)
MFT Modified:  2019-09-07 02:22:25.084238000 (Eastern Daylight Time)
Accessed:      2019-09-07 02:22:25.075237500 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
File Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
MFT Modified:  2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
Accessed:      2019-09-07 02:22:25.075237500 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 0    Actual Size: 0
Created:       2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
File Modified: 2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
MFT Modified:  2019-09-07 02:22:25.075237500 (Eastern Daylight Time)
Accessed:      2019-09-07 02:22:25.075237500 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
255125 255126 255127 255128 255129 255130 255131 255132 
255133 255134 255135 255136 255137 255138 255139 255140 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158 

MFT Entry Header Values:
Entry: 73341        Sequence: 326
$LogFile Sequence Number: 190677614018
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 829  (S-1-5-21-1565470440-1633509369-3944455776-1000)
Last User Journal Update Sequence Number: 30364689880
Created:       1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
MFT Modified:  1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
Accessed:      1998-09-06 20:25:24.029473100 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
MFT Modified:  1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
Accessed:      1998-09-06 20:25:24.029473100 (Eastern Daylight Time)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile106492.tst
Parent MFT Entry: 367786  Sequence: 290
Allocated Size: 106496    Actual Size: 106492
Created:       1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
File Modified: 1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
MFT Modified:  1998-09-06 20:25:24.029473100 (Eastern Daylight Time)
Accessed:      1998-09-06 20:25:24.029473100 (Eastern Daylight Time)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-8)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 102
Type: $DATA (128-4) Name: N/A Non-Resident size: 106492 init_size: 106492
255125 255126 255127 255128 255129 255130 255131 255132 
255133 255134 255135 255136 255137 255138 255139 255140 
13497149 13497150 13497151 13497152 13497153 13497154 13497155 13497156 
13497157 13497158

The test program takes one command-line argument - file name, there is no support for a file name wildcards:

// Forever21.cpp

#include <windows.h>
#include <winternl.h>
#include <ntstatus.h>

HANDLE hStdOutput;
CHAR cFileBuffer[65536];
DWORD nNumberOfBytesWritten;
WCHAR cFileName[32768];

extern "C" void entry() {
  if ((hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE)) != INVALID_HANDLE_VALUE) {
    int argc = 0;
    if (LPWSTR *argv = CommandLineToArgvW(GetCommandLineW(), &argc)) {
      if (1 < argc) {
        HANDLE hFile;
        if ((hFile = CreateFileW(argv[1], FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) != INVALID_HANDLE_VALUE) {
          NTSTATUS NtStatus; IO_STATUS_BLOCK IoStatusBlock; FILE_BASIC_INFORMATION FileBasicInformation;
          if ((NtStatus = NtQueryInformationFile(hFile, &IoStatusBlock, &FileBasicInformation, sizeof FileBasicInformation, FILE_INFORMATION_CLASS::FileBasicInformation)) == STATUS_SUCCESS) {
            LARGE_INTEGER FileTime; GetSystemTimeAsFileTime(reinterpret_cast<LPFILETIME>(&FileTime)); FileTime.QuadPart -= 21ll * 31'557'600 * 10'000'000;
            FileBasicInformation.CreationTime = FileBasicInformation.LastAccessTime = FileBasicInformation.LastWriteTime = FileBasicInformation.ChangeTime = FileTime;
            if (MoveFileW(argv[1], lstrcatW(lstrcpyW(cFileName, argv[1]), L"~21"))) {
              if ((NtStatus = NtSetInformationFile(hFile, &IoStatusBlock, &FileBasicInformation, sizeof FileBasicInformation, FILE_INFORMATION_CLASS::FileBasicInformation)) == STATUS_SUCCESS) {
                if (MoveFileW(cFileName, argv[1])) {
                  if ((NtStatus = NtSetInformationFile(hFile, &IoStatusBlock, &FileBasicInformation, sizeof FileBasicInformation, FILE_INFORMATION_CLASS::FileBasicInformation)) == STATUS_SUCCESS) {
                    WriteFile(hStdOutput, cFileBuffer, wsprintfA(cFileBuffer, "Forever21: \"%S\"\n", argv[1]), &nNumberOfBytesWritten, 0);
                  }
                }
              }
            }
          }
          CloseHandle(hFile);
        }
      }
      GlobalFree(argv);
    }
  }
  ExitProcess(0);
}

Windows Driver Kit is required for Visual Studio build. But MinGW-w64 is an easy alternative. For example, it's bundled with Strawberry Perl. MinGW-w64 build command line is:

gcc.exe -Wl,--gc-sections,--subsystem,console -fno-exceptions -fno-asynchronous-unwind-tables -fno-rtti -nostdlib -s -e entry -oForever21.exe -O2 Forever21.cpp -lkernel32 -luser32 -lshell32 -lntdll

x64 build: Forever21.7z, SHA1(Forever21.exe)= 72f6974085797d680c168a7151606ce4634fb152

at No comments:

Tuesday, September 3, 2019

NTFS Timestamps vs Memory Mapped File

TL;DR: Memory Mapped File I/O overwrites file content without changing any timestamp in $STANDARD_INFORMATION, and $FILE_NAME attributes.

During my recent job interview, a question about NTFS timestamps took me by surprise. Should admit, I never took file timestamps (without regards to NTFS) as the credential source of information about actual file creation/modification date/time. Traditionally, users, without any specific permissions, were able to alter file timestamps. For example, allegedly the very first PC virus Vienna used timestamp with 62 seconds value as an indicator of the already infected file. Timestamps may "drift" due to the timezone or daylight saving changes. In other words, for me, they were falling into the intelligence category ("if it were a fact, it wouldn't be called intelligence"). Well, enough of my preconceptions, let's check NTFS.

There are plenty of good resources about NTFS timestamps, and their usage in forensic analysis. I linked some of them which I found interesting.

Long story short, four timestamps per MFT file attribute - file creation, modification, access (in most cases not updated by OS), and modification of attribute itself. One $STANDARD_INFORMATION (later $SI) attribute, and at least one $FILE_NAME (later $FN) attribute per file, so at least eight timestamps per file. User mode Windows API (like GetFileTime and SetFileTime) let you get or set only creation, modification, and access timestamps in the $SI attribute only.

As the most simple thing first, I am interested in the modification of an already existing file. Apparently, there is no legit way (without direct disk access, OS exploit, etc.) to change the file content without altering the NTFS timestamps or metadata. I guess it shouldn't be a surprise what my first bet for this task is the Memory Mapped File I/O. Just as a short intro, Memory Mapped File I/O is the part of user mode Windows API which let you map a file (or part of it) into the process memory, so all changes in the memory will be reflected in a file on disk (at some moment). It's the fascinating feature (especially for a lazy programmer) with many applications (and implications), and there are some suggestions what it may do the trick (at least sometimes).

I did the preliminary research test on Windows 7 x64 build 7601, with subsequent verification on Windows 10 x64 build 1907. The file content modification is "x = x + 127" for every byte of file or its part. There are two significant observations:

  1. Memory Mapped File I/O lets you overwrite file content without changing any timestamp in the $SI, and $FN attributes. During tests with the file size up to 200MB, I didn't come across any case of timestamp change.
  2. There is the odd situation with the Log Sequence Number (LSN) value. If you don't overwrite the very last memory page (the very last "FileSize % (remainder) PageSize (4096 by default)" bytes of the file), the LSN value stays unchanged. The test program is trying to skip the very last page unless file size is less than 4096.

I guess, the obvious todos are: check LSN, and USN journal records for the related file change operations; check the same scenarios with the Large-Page enabled (starting with Windows 10, build 1703).

The test program takes one command-line argument - file name, there is no support for a file name wildcards. In case of success, the output is: "file name": altered region size(file size).

// TouchFile.cpp

#include <Windows.h>

HANDLE hStdOutput;
CHAR cFileBuffer[65536];
DWORD nNumberOfBytesWritten;

int main() {
  if ((hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE)) != INVALID_HANDLE_VALUE) {
    int argc = 0;
    if (LPWSTR * argv = CommandLineToArgvW(GetCommandLineW(), &argc)) {
      if (1 < argc) {
        HANDLE hFile;
        if ((hFile = CreateFileW(argv[1], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) != INVALID_HANDLE_VALUE) {
          if (HANDLE hFileMappingObject = CreateFileMappingW(hFile, 0, PAGE_READWRITE, 0, 0, 0)) {
            if (LPVOID lpBaseAddress = MapViewOfFile(hFileMappingObject, FILE_MAP_WRITE, 0, 0, 0)) {
              DWORD dwFileSize = GetFileSize(hFile, 0), dwTouchSize = 4096 < dwFileSize ? dwFileSize & ~4095 : dwFileSize;
              for (DWORD i = 0; i < dwTouchSize; i++) reinterpret_cast<BYTE*>(lpBaseAddress)[i] += 127;
              UnmapViewOfFile(lpBaseAddress);
              WriteFile(hStdOutput, cFileBuffer, wsprintfA(cFileBuffer, "\"%S\": %u(%u)\n", argv[1], dwTouchSize, dwFileSize), &nNumberOfBytesWritten, 0);
            }
            CloseHandle(hFileMappingObject);
          }
          CloseHandle(hFile);
        }
      }
      GlobalFree(argv);
    }
  }
  ExitProcess(0);
}

x64 build: TouchFile.7z, SHA1(TouchFile.exe)= c6f1f1c0adfb2bb7fdefc69165f765ebed55cbe8

Verification configuration: HP EliteBook 8730w, RAM 8GB, HDD OCZ-VERTEX4 512GB; Windows 10 x64 build 1907, clean install, default settings, all recommended updates (2019-08-30), offline user, no network connection; USB boot: Kali Linux Live 2019.2 (forensic mode), The Sleuth Kit 4.6.5. Verification scenario:

  1. Boot Windows: "xcopy /e /i ..." folder with test files (file size: 4095, 4096, 3MB), "certutil -hashfile ..." for file SHA1
  2. Boot Linux: "fls -i raw -f ntfs /dev/sda2 ...", "istat -i raw -f ntfs /dev/sda2 ..." for file metadata
  3. Boot Windows: "TouchFile ..." for file content overwrite
  4. Boot Linux: "istat -i raw -f ntfs /dev/sda2 ..." for file metadata
  5. Boot Windows: "certutil.exe -hashfile ..." for file SHA1
BeforeAfter
SHA1 C:\TestFolder\TestFile4095.tst 4c1732511805221435db376b8cbad7d0debf72cf

MFT Entry Header Values:
Entry: 124888        Sequence: 13
$LogFile Sequence Number: 537362867
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 101740432
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 06:57:40.000000000 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 0    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile4095.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 0    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 98
Type: $DATA (128-4)   Name: N/A   Non-Resident   size: 4095  init_size: 4095
33536

SHA1 C:\TestFolder\TestFile4095.tst 0dd646c5f8e3f61fa7cad72a68de06cc50d063c8

MFT Entry Header Values:
Entry: 124888        Sequence: 13
$LogFile Sequence Number: 537882948
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 101740432
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 06:57:40.000000000 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~1.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 0    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile4095.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 0    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 98
Type: $DATA (128-4)  Name: N/A  Non-Resident  size: 4095  init_size: 4095
33536

SHA1 C:\TestFolder\TestFile4096.tst 2b4104c0956ad137b3925920c7b8e4b3fd1df275

MFT Entry Header Values:
Entry: 124893        Sequence: 11
$LogFile Sequence Number: 537362895
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 101740928
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 06:57:34.000000000 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~2.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 4096    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile4096.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 4096    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 98
Type: $DATA (128-1)   Name: N/A   Non-Resident   size: 4096  init_size: 4096
100611

SHA1 C:\TestFolder\TestFile4096.tst ba31ebd88c9abf4462da0ee43228720ba7775098

MFT Entry Header Values:
Entry: 124893        Sequence: 11
$LogFile Sequence Number: 537362895
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 101740928
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 06:57:34.000000000 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~2.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 4096    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile4096.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 4096    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 98
Type: $DATA (128-1)   Name: N/A   Non-Resident   size: 4096  init_size: 4096
100611

SHA1 C:\TestFolder\TestFile3516592.tst
f87e2398de1c05a8c7fe7cd97097cdc1b69da6ab

MFT Entry Header Values:
Entry: 124894        Sequence: 11
$LogFile Sequence Number: 537367229
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 101741440
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 06:59:46.000000000 (UTC)
MFT Modified:  2019-08-31 07:45:13.164794500 (UTC)
Accessed:      2019-08-31 07:45:13.164794500 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~3.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 3518464    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile3516592.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 3518464    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 104
Type: $DATA (128-1) Name: N/A Non-Resident size: 3516592 init_size: 3516592
4363616 4363617 4363618 4363619 4363620 4363621 4363622 4363623 
...
4364464 4364465 4364466 4364467 4364468 4364469 4364470 4364471 
4364472 4364473 4364474

SHA1 C:\TestFolder\TestFile3516592.tst
8623d77cdd8b00e4966ba1056319a1db61aa8ce1

MFT Entry Header Values:
Entry: 124894        Sequence: 11
$LogFile Sequence Number: 537367229
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 101741440
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 06:59:46.000000000 (UTC)
MFT Modified:  2019-08-31 07:45:13.164794500 (UTC)
Accessed:      2019-08-31 07:45:13.164794500 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~3.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 3518464    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile3516592.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 3518464    Actual Size: 0
Created:       2019-08-31 07:45:12.772832300 (UTC)
File Modified: 2019-08-31 07:45:12.772832300 (UTC)
MFT Modified:  2019-08-31 07:45:12.772832300 (UTC)
Accessed:      2019-08-31 07:45:12.772832300 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 104
Type: $DATA (128-1) Name: N/A Non-Resident size: 3516592 init_size: 3516592
4363616 4363617 4363618 4363619 4363620 4363621 4363622 4363623 
...
4364464 4364465 4364466 4364467 4364468 4364469 4364470 4364471 
4364472 4364473 4364474

SHA1 C:\TestFolder\TestFile235281024.tst
eb541e876895e8595e4fcb7322c183e7cabad382

MFT Entry Header Values:
Entry: 88106        Sequence: 10
$LogFile Sequence Number: 907469416
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 113449752
Created:       2019-09-03 09:14:18.591216000 (UTC)
File Modified: 2019-09-01 19:36:28.000000000 (UTC)
MFT Modified:  2019-09-03 09:14:44.548521800 (UTC)
Accessed:      2019-09-03 09:14:44.548521800 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~4.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 235282432    Actual Size: 0
Created:       2019-09-03 09:14:18.591216000 (UTC)
File Modified: 2019-09-03 09:14:18.591216000 (UTC)
MFT Modified:  2019-09-03 09:14:18.591216000 (UTC)
Accessed:      2019-09-03 09:14:18.591216000 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile235281024.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 235282432    Actual Size: 0
Created:       2019-09-03 09:14:18.591216000 (UTC)
File Modified: 2019-09-03 09:14:18.591216000 (UTC)
MFT Modified:  2019-09-03 09:14:18.591216000 (UTC)
Accessed:      2019-09-03 09:14:18.591216000 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 108
Type: $DATA (128-1) Name: N/A Non-Resident size: 235281024 init_size: 235281024
3959582 3959583 3959584 3959585 3959586 3959587 3959588 3959589 
...
4017014 4017015 4017016 4017017 4017018 4017019 4017020 4017021 
4017022 4017023 

SHA1 C:\TestFolder\TestFile235281024.tst
66817762fe8f32e065ea8c824367bdc8f47a3093

MFT Entry Header Values:
Entry: 88106        Sequence: 10
$LogFile Sequence Number: 907469416
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 2213  (S-1-5-21-2973299112-457765261-1731413466-1001)
Last User Journal Update Sequence Number: 113449752
Created:       2019-09-03 09:14:18.591216000 (UTC)
File Modified: 2019-09-01 19:36:28.000000000 (UTC)
MFT Modified:  2019-09-03 09:14:44.548521800 (UTC)
Accessed:      2019-09-03 09:14:44.548521800 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TESTFI~4.TST
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 235282432    Actual Size: 0
Created:       2019-09-03 09:14:18.591216000 (UTC)
File Modified: 2019-09-03 09:14:18.591216000 (UTC)
MFT Modified:  2019-09-03 09:14:18.591216000 (UTC)
Accessed:      2019-09-03 09:14:18.591216000 (UTC)

$FILE_NAME Attribute Values:
Flags: Archive
Name: TestFile235281024.tst
Parent MFT Entry: 78985  Sequence: 8
Allocated Size: 235282432    Actual Size: 0
Created:       2019-09-03 09:14:18.591216000 (UTC)
File Modified: 2019-09-03 09:14:18.591216000 (UTC)
MFT Modified:  2019-09-03 09:14:18.591216000 (UTC)
Accessed:      2019-09-03 09:14:18.591216000 (UTC)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 108
Type: $DATA (128-1) Name: N/A Non-Resident size: 235281024 init_size: 235281024
3959582 3959583 3959584 3959585 3959586 3959587 3959588 3959589 
...
4017014 4017015 4017016 4017017 4017018 4017019 4017020 4017021 
4017022 4017023
at No comments:
Subscribe to: Comments (Atom)

NTFS Timestamps vs NtSetInformationFile & MoveFile

TL;DR: NtSetInformationFile, MoveFileW, NtSetInformationFile sequence overwrites all timestamps in $STANDARD_INFORMATION, and $FILE_NAME a...