# Timestomping Exercise

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FFPFi0xCfBN9q0MzrIYWU%2Ftimestomp.png?alt=media\&token=0717f0e3-e952-4d17-aedb-43c8151e2ba5)

### 1. Introduction

* At the RatherInsecure Bank, a USB Stick is used to import account data into the core banking system.
* The employee in charge of the import left the USB Stick unattended for several days.
* Shortly after the next import, a customer complained that money was missing from his account with number 222222222.
* It was quickly determined, that customer Adams somehow gained access to the account. The current assumption is, that a new file was created on the USB Stick, which was wrongfully imported. It is unclear when this happened.
* Another analyst has already created an image of the found stick using dd. You can download it here:

{% file src="<https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FfVBqLSvLreYOnqhjhigo%2Ftimestomping.zip?alt=media&token=1a4b57c9-160c-4c14-b0ed-1029bec369db>" %}

Your task is to:

* Analyze the data on the USB Stick. Describe what files were created directly on the usb stick and which ones were probably moved (volume move) there.
* Describe two different time anomalies that are observed while analyzing the USB Stick.
* Determine what file timestamps were tempered with.
* Determine the real time the file NewestAccounts.txt was created / last modified

### 2. Linux Analysis

`mkdir /mnt/usb_stick2`

Mount timestomping.dd image:

`mount -o ro,loop,show_sys_files,streams_interface=windows timestomping.dd /mnt/usb_stick2`

Check inode number:

`ls -lia`

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FNeTUgznpmTg9wv1tLJpF%2Fanomaly01.png?alt=media&#x26;token=0d73eb71-a18a-4d5b-abe4-5a45302679ed" alt=""></div>

Here we can see the first anamoly. The `inode number` / file id usually roughly aligns with the time when a file is created.\
Notice, how the file `NewestAccounts.txt` has an inode number of 41 but is created significantly earlier (Apr 1 2019) than other files on the device!

Let's have a closer look on the timestamp:

`ls --full-time`

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FnyDVeQbdxx8fnwWcYxKT%2Fanomaly02.png?alt=media\&token=719eeda6-0f13-480a-8673-7535bc0857ea)

It is highly unlikely that a file ever has a millisecond timestamp of zero on an NTFS filesystem.

* However, the file **NewestAccounts.txt** does have such a zero millisecond timestamp (<mark style="color:red;">000000000 in 17:30:32.000000000</mark>).
* This is a very direct indication towards the presence of timestomping.
* Furthermore, the timestamp is created from another timezone than the other files present on the drive. This is indicated by the offset +0200 (instead of +0100).

For the further analysis we can use Sleuthkit:

`fls -r ./timestomping.dd`

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FdgrkrZ2T8oCkPFEmOnR7%2Fanomaly03.png?alt=media&#x26;token=5903f947-95e4-428a-8dde-94cfee489071" alt=""></div>

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FJPmu3V1p96k2wD91tsg4%2Fanomaly04.png?alt=media&#x26;token=687b94cb-2548-496c-a50f-83a12b72394d" alt=""></div>