Timestomping Exercise

1. Introduction

• At the RatherInsecure Bank, a USB Stick is used to import account data into the core banking system.

• The employee in charge of the import left the USB Stick unattended for several days.

• Shortly after the next import, a customer complained that money was missing from his account with number 222222222.

• It was quickly determined, that customer Adams somehow gained access to the account. The current assumption is, that a new file was created on the USB Stick, which was wrongfully imported. It is unclear when this happened.

• Another analyst has already created an image of the found stick using dd. You can download it here:

2MB

timestomping.zip

archive

Your task is to:

• Analyze the data on the USB Stick. Describe what files were created directly on the usb stick and which ones were probably moved (volume move) there.

• Describe two different time anomalies that are observed while analyzing the USB Stick.

• Determine what file timestamps were tempered with.

• Determine the real time the file NewestAccounts.txt was created / last modified

2. Linux Analysis

mkdir /mnt/usb_stick2

Mount timestomping.dd image:

mount -o ro,loop,show_sys_files,streams_interface=windows timestomping.dd /mnt/usb_stick2

Check inode number:

ls -lia

Here we can see the first anamoly. The inode number / file id usually roughly aligns with the time when a file is created. Notice, how the file NewestAccounts.txt has an inode number of 41 but is created significantly earlier (Apr 1 2019) than other files on the device!

Let's have a closer look on the timestamp:

ls --full-time

It is highly unlikely that a file ever has a millisecond timestamp of zero on an NTFS filesystem.

• However, the file NewestAccounts.txt does have such a zero millisecond timestamp (000000000 in 17:30:32.000000000).

• This is a very direct indication towards the presence of timestomping.

• Furthermore, the timestamp is created from another timezone than the other files present on the drive. This is indicated by the offset +0200 (instead of +0100).

For the further analysis we can use Sleuthkit:

fls -r ./timestomping.dd