Episode 07: MACB timestamps made easy with Mohaimin

Hi there, this is Mohaimin again, and today we’re going to chat about MACB timestamps – the timekeepers in the digital world.

Timestamps are like digital detectives for folks in Digital Forensics and Incident Response (DFIR). They help us piece together the puzzle of what happened when in the digital realm, making investigations way easier!

Now first let’s understand what does MACB stands for.

  • M: Data inside the file Modified
  • A: File got Accessed.
  • C: Metadata Changed. Example: File name
  • B: File birth/creation time.

Now we all know how naughty is Microsoft with times, and it can change whenever they want :p

My all time favourite resource to look for windows time rules is the following SANS poster. You can find the poster in this link: https://www.sans.org/posters/windows-forensic-analysis/

Now today, I will talk about three key points from this poster that are really key to some investigations.

1. Modification time before creation time:

Now, here’s something quite peculiar: the modification time stamp sometimes precedes the creation time stamp. It might seem a bit odd at first glance, right? How can something be modified before it’s even created? Well, Microsoft has an explanation for this quirk. When you simply copy a file, all the ACB timestamps are refreshed, while only the modification time (M time) is inherited from the original system.

Now, during a super timeline investigation, if you stumble upon a suspicious file, let’s say a tiny executable named “a.exe,” and notice that its modification timestamp predates its birth timestamp, this is a significant red flag. It strongly hints at potential lateral movement. Using this timestamp as a pivot point, you might uncover network activities showing a connection from a different machine to the one with “a.exe.” These could be signs of network logon activities. In a nutshell, you’ve likely caught an intruder red-handed, as they might have just dropped a malicious program onto the machine. Bingo!

2.Why should we try our best to disregard access time in an investigation?

Disregarding access time during an investigation is often a smart move because interpreting A (Access) timestamps can be tricky. For instance, when you move a file from one folder to another (Yes, I am talking to you Temp) on your computer, the Access timestamp can change, even though the file’s content remains unchanged and you haven’t opened the file. This complicates the accuracy of determining if someone accessed the file maliciously or merely moved it. Focusing on M (Modification) and B (Birth) timestamps is more reliable for assessing malicious activites.

3.We can’t track deletion time:

Now, when we delete a file, none of the MACB timestamps change. So, if you’re playing detective and wonder if your colleague, Employee X, pulled a Houdini act on file Y at a certain time , the timestamps won’t reveal that information. But fret not, there’s a solution using $UsnJrnl to uncover deletion times, but that’s a topic for another day.

So, MACB timestamps are like our digital steps, helping us uncover the timeline of digital actions. While they might not tell us everything, we’ve got some cool tools to unveil the sneakiest digital moves. Also let me know whether you have liked my blog or not, or how can I improve.

Thanks for the read.

Leave a Reply

Your email address will not be published. Required fields are marked *