Timestomping Exercise

1. Introduction

At the RatherInsecure Bank, a USB Stick is used to import account data into the core banking system.
The employee in charge of the import left the USB Stick unattended for several days.
Shortly after the next import, a customer complained that money was missing from his account with number 222222222.
It was quickly determined, that customer Adams somehow gained access to the account. The current assumption is, that a new file was created on the USB Stick, which was wrongfully imported. It is unclear when this happened.
Another analyst has already created an image of the found stick using dd. You can download it here:

2MB

timestomping.zip

2. Linux Analysis

mkdir /mnt/usb_stick2

Mount timestomping.dd image:

mount -o ro,loop,show_sys_files,streams_interface=windows timestomping.dd /mnt/usb_stick2

Check inode number:

ls -lia

Here we can see the first anamoly. The inode number / file id usually roughly aligns with the time when a file is created. Notice, how the file NewestAccounts.txt has an inode number of 41 but is created significantly earlier (Apr 1 2019) than other files on the device!

Let's have a closer look on the timestamp:

ls --full-time

It is highly unlikely that a file ever has a millisecond timestamp of zero on an NTFS filesystem.

However, the file NewestAccounts.txt does have such a zero millisecond timestamp (000000000 in 17:30:32.000000000).
This is a very direct indication towards the presence of timestomping.
Furthermore, the timestamp is created from another timezone than the other files present on the drive. This is indicated by the offset +0200 (instead of +0100).

For the further analysis we can use Sleuthkit:

fls -r ./timestomping.dd

PreviousMail Header Analysis NextNetwork Forensics

Last updated 2 years ago