I passed my GCFA yesterday due to this video and your others! Tough test, but your content really helped. Just became a patron - thanks for what you do!
This is really a very informative video.. all you need to know about the title and new discovery. Thank you for the efforts in putting it all together.
You are a great teacher! Regarding the copy on bash, I'd assume that it's not calling the native OS function to copy, but rather it is scripted internally, so it creates a new file, possibly forgetting to set the timestamps later (as it is in beta). Now things may have changed, but I don't know really, as I don't use bash.
Yes, this has recently changed. However, the access timestamp is still not very forensically relevant because there are just too many variations in how and when it is updated. The M and B in MACB tend to be the ones we focus on the most.
It's likely that the bash program copies quite literally by redirecting the output of the file into a new file. So it creates a file, and then copies all the data into it.
Do you think it copied all the data (less than 1 kB) in less than 0.1 milliseconds? This would explain why the modification and entry modification time-stamps are equal to the others. Perhaps it would prove useful to re-run this experiment with a larger file.
Love your channel. Thank you for the content. If you open a patreon and plan on releasing more timely content, I'd be thrilled to donate monthly to the cause.
I have Win 10 22H2 and it appears that when I modify a file, the Accessed time is also changing. Wondering if the default changed in the recent versions.
Hello @13Cubled I have tried to change file content and i observed there is modification and access time stamp is change. as per your video access time stamp is not changes. and my drive type is NTFS as well.
Access timestamp behavior has changed in more recent versions of Windows 10. In short, don't depend on that timestamp for any forensic purposes. There are just too many circumstances under which it could be updated.
To my knowledge, analyzeMFT isn't being maintained any longer. Further, MFTECmd has many more features, including the ability to analyze the $UsnJrnl (and coming later, $LogFile).
NTFS says that $Filename attribute timestamps will be changed if file renaming happens. But according to SANS table timestamps rules (file rename column) there is no modification of any $FN timestamps, why its so?
Upon a file rename, only $SI will change (the C, in MACB, recording an NTFS metadata change). $FN timestamps will not change, as shown here: www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
Trying to replicate the matrix on a Windows 10 Version 1809 (Build 17763.134) I found out that whenever I edit the file content, the Date Accessed also changes (in addition to the Date modified). I've tried with disablelastaccess disabled or enabled and it's the same behavior. Any thoughts?
Mcs Wks I’ve seen some newer versions of Windows modify the access timestamp in inconsistent ways. In short, this is not a forensically useful timestamp in most cases, and I generally ignore it and focus on modification and creation.
san0106chit Indeed - I’ve seen newer versions of Windows modify the access timestamp in inconsistent ways. That said, this is usually not a forensically useful timestamp in most cases, and I generally ignore it and focus on modification and creation.
I passed my GCFA yesterday due to this video and your others! Tough test, but your content really helped. Just became a patron - thanks for what you do!
That’s awesome - thank you!
I really appreciate how well you explain the content to the least common denominator (me).
This is really a very informative video.. all you need to know about the title and new discovery. Thank you for the efforts in putting it all together.
I've begun watching your videos recently and they're extremely useful! Thanks a lot
Thank you so much! I am working on my GCFE and these videos are helping me alot. 🙏
Great job on the content. This helped reinforce some of the learning material from SANS 508. Keep up the great videos!
Great Job, Awesome content, perfect flow..you never let audience sleep..keep it up...I will wait for more new videos
IT would also be great to do a SANS SIFT Video
Thank you so much for the explanation :)
You are a great teacher!
Regarding the copy on bash, I'd assume that it's not calling the native OS function to copy, but rather it is scripted internally, so it creates a new file, possibly forgetting to set the timestamps later (as it is in beta).
Now things may have changed, but I don't know really, as I don't use bash.
Would be interesting if you will make a video about Steganography and Cryptography.
Date Accessed has been updated. I tried this in Windows 10 and it updated along with the modification date.
Yes, this has recently changed. However, the access timestamp is still not very forensically relevant because there are just too many variations in how and when it is updated. The M and B in MACB tend to be the ones we focus on the most.
very useful video.
Thanks it was a good video.
Just a thought, maybe adding '-p' to the bash cp command will preserve the timestamps. This is how it works on Linux.
It's likely that the bash program copies quite literally by redirecting the output of the file into a new file. So it creates a file, and then copies all the data into it.
Do you think it copied all the data (less than 1 kB) in less than 0.1 milliseconds? This would explain why the modification and entry modification time-stamps are equal to the others.
Perhaps it would prove useful to re-run this experiment with a larger file.
Love your channel. Thank you for the content. If you open a patreon and plan on releasing more timely content, I'd be thrilled to donate monthly to the cause.
Ryan Horton Thanks! I actually do have a Patreon - patreon.com/13cubed. One pre-release video is available to patrons now, and another coming Friday.
I'm looking forward to it! Checking Patreon out now!
Great Video sir! Thanks for sharing :-)
Great work..Keep it up !!!
I have Win 10 22H2 and it appears that when I modify a file, the Accessed time is also changing. Wondering if the default changed in the recent versions.
Sure did! I have an episode coming out in January that addresses that.
Hello @13Cubled I have tried to change file content and i observed there is modification and access time stamp is change. as per your video access time stamp is not changes. and my drive type is NTFS as well.
Access timestamp behavior has changed in more recent versions of Windows 10. In short, don't depend on that timestamp for any forensic purposes. There are just too many circumstances under which it could be updated.
@@13Cubed Thanks for update
the timestomp tool isnt out there anymore ?
Always appreciate your great Work ,I have a question : what is the difference between analyzeMFT & MFTcmd from EricZimmerman-Tools
To my knowledge, analyzeMFT isn't being maintained any longer. Further, MFTECmd has many more features, including the ability to analyze the $UsnJrnl (and coming later, $LogFile).
Also this is very Good !!!
NTFS says that $Filename attribute timestamps will be changed if file renaming happens. But according to SANS table timestamps rules (file rename column) there is no modification of any $FN timestamps, why its so?
Upon a file rename, only $SI will change (the C, in MACB, recording an NTFS metadata change). $FN timestamps will not change, as shown here: www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
Trying to replicate the matrix on a Windows 10 Version 1809 (Build 17763.134) I found out that whenever I edit the file content, the Date Accessed also changes (in addition to the Date modified).
I've tried with disablelastaccess disabled or enabled and it's the same behavior.
Any thoughts?
Mcs Wks I’ve seen some newer versions of Windows modify the access timestamp in inconsistent ways. In short, this is not a forensically useful timestamp in most cases, and I generally ignore it and focus on modification and creation.
@@13Cubed Thanks for the quick reply. You are the best!!!
Is see the access time(A) changes when I modify a file. The registry is set to 80000003 in windows 10.
From what I am reading, something has changed in April 1803 update.
san0106chit Indeed - I’ve seen newer versions of Windows modify the access timestamp in inconsistent ways. That said, this is usually not a forensically useful timestamp in most cases, and I generally ignore it and focus on modification and creation.
Videos are great but I will be better if you zoom the screen
This was an older episode. You will notice a drastic increase in production quality in more recent episodes.
He sounds way to chipper for 1:40 AM--mind you.... Great vid though
Way "too" chipper... Correction