Detect anomalies in NTFS timestamps

[kiddinn]

Some ideas to look for:

• Anomalies in directories where data is rarely written to and should mostly be in sequential order, anomalies here would be inspecting MFT sequence numbers and comparing to creation time, in directories such as Windows/System32.
  • Map up all these directories
  • There will be FPs, find ways to tune the amount of FPs to minimum
• $I30 entries and compare to other entries in timeline
• Anomalies in $SI and $FN timestamps
• Examine "sequential" data in the OS, eg. LNK files and entries in Windows Registry that could point to timestomping behavior
• Look at EventLog entries

For each of these anomalies:

• Flag/label or add an attribute.
• Add a graph for visualizing/summary (when graphing becomes easier to achieve)

Most of these depend on the $MFT parser in plaso, but also Registry and EventLog parsers and potentially few others to have run in order to do all the checks.

Since these will most likely produce quite a few FPs, it would be good to have some sort of way to "flag/mark" FPs and/or tune the analyzer in order to minimize those as much as possible.

[kiddinn]

The first step here is to research what possible evidence there can be that can aid in detecting these anomalies.

The second step is to experiment with it a bit and write the outlier detection logic.

Third step is add graphs and/or some other sort of visualization that can be done to surface these anomalies better.

[kiddinn]

also look at EventLogs

[joachimmetz]

Please document the research, also think of using $UsnJrnl:$J and TxF

also consider detecting broader set of time manipulation, such as done by OLK (secure temp) folder and OLECF files