Interactive Lab: MFT Deep Dive

Five files are timestomped (entries 45231–45235): - All five have identical $SI Created timestamps (2025-08-15T09:00:00.0000000) with zero fractional seconds - All five have $FN Created timestamps in March 2026 (02:12–02:13 window) - Temporal inversion: $SI Created is 7 months before $FN Created - Classification: Confirmed timestomping (Method 1: temporal inversion + Method 2: zero fractional seconds) - Real deployment time: March 18, 2026, 02:12:44 to 02:13:02 (from $FN Created)

Two files are NOT timestomped (entries 45800–45801): - readme.txt and cleanup.bat have matching $SI and $FN Created timestamps with full nanosecond precision - readme.txt is likely the ransom note (created just before encryption started) - cleanup.bat is the post-encryption cleanup script (created after encryption completed) - The attacker timestomped the main tools but not the operational files created during the attack

This is the ransomware encryption event: - Duration: 4 minutes 14.77 seconds (02:14:33 to 02:18:47) - Files encrypted: 2,847 - Speed: ~11.2 files per second (2,847 ÷ 254.77 seconds) - Estimated data: ~130 MB (2,847 × 47 KB) - The monotonically increasing timestamps with consistent intervals confirm automated processing — no human operates at this consistency - The simultaneous $SI Modified and $SI Entry Modified updates confirm data content was changed (encryption) and MFT metadata was updated (new file size, attributes) - The 12 affected directories show the ransomware's directory traversal path - The encryption started 91 seconds after the last attacker tool was deployed (02:13:02 → 02:14:33), consistent with a brief configuration/staging period before execution

Entry 12044 — deploy.bat (487 bytes, resident): - Recovery: FULL CONTENT RECOVERY — 487 bytes of resident data in the MFT record. The entry is free (not reallocated), so the content is intact. - Method: Extract 487 bytes from the $DATA attribute content area in the raw MFT record at offset 12044 × 1,024. - Significance: This is likely the ransomware deployment script. Created 5 seconds before the encryption event started. May contain the commands used to launch locker.exe across the network. - Confidence: HIGH — intact resident data in a free MFT entry.

Entry 12045 — creds.txt (223 bytes, resident): - Recovery: FULL CONTENT RECOVERY — 223 bytes of resident data. - Significance: Created during the credential harvesting phase (02:11, before tool deployment at 02:12). May contain harvested credentials, domain admin passwords, or service account credentials used for lateral movement. - Confidence: HIGH.

Entry 12046 — scan-results.csv (34,816 bytes, non-resident): - Recovery: METADATA ONLY from MFT — filename, timestamps, parent directory, file size recoverable. Content requires cluster-level recovery. - Content recovery depends on: whether the workstation has an SSD (TRIM may have zeroed clusters) or HDD, and whether the clusters have been reallocated since deletion. - Significance: Created during the reconnaissance phase (02:09, before credential harvesting). Likely contains network scan results identifying target systems. Size (34 KB) suggests a CSV with multiple columns across many hosts. - Confidence for content: LOW on SSD, MODERATE on HDD. Check cluster allocation status.

Example forensic summary:

MFT analysis of DESKTOP-NGE-FIN01 identifies five attacker tools deployed to C:\ProgramData\Updates\ between 02:12:44 and 02:13:02 UTC on March 18, 2026. All five executables were timestomped — $STANDARD_INFORMATION Created timestamps were set to August 15, 2025 to blend with legitimate software, but $FILE_NAME Created timestamps reveal the actual deployment during the intrusion window. The timestomping is confirmed through temporal inversion (7-month gap between $SI and $FN Created) and zero-fractional-second precision on all $SI timestamps. The identified tools include svchost-helper.exe (288 KB), update-service.dll (157 KB), config.dat (4 KB), mshelper64.exe (524 KB), and locker.exe (389 KB — the ransomware payload). Corroborate with Prefetch analysis for execution evidence and Event Logs for service creation.

The ransomware encryption event began at 02:14:33 and completed at 02:18:47 UTC — a 4-minute 15-second window during which 2,847 files across 12 directories were encrypted at approximately 11.2 files per second. The monotonically increasing $SI Modified timestamps with consistent 85ms intervals confirm automated processing. The encryption started 91 seconds after the last tool deployment, consistent with a configuration period before execution. Corroborate with Event Logs (process creation for locker.exe, VSS deletion events) and USN Journal (file modification reason codes during the encryption window).

Three deleted files were recovered from C:\Windows\Temp\. Two files with resident data (deploy.bat, 487 bytes; creds.txt, 223 bytes) are fully recoverable from their freed MFT entries — deploy.bat is the likely deployment script created 5 seconds before encryption, and creds.txt contains harvested credentials from the pre-encryption reconnaissance. A third file (scan-results.csv, 35 KB, non-resident) has recoverable metadata but content recovery depends on cluster allocation status. All recovery findings are documented with extraction methodology and confidence assessment. Corroborate with Prefetch (cmd.exe execution for deploy.bat) and Event Logs (authentication events using harvested credentials).