Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – MFT Explorer – GUI
- Page 3 – MFTECmd – Command Line, Examining MFTECmd Output (CSV)
- Page 4 – Conclusion, Related Blogs Posts/Videos, Change Log
MFT Explorer/MFTECmd are essential tools created by Eric Zimmerman that can be used to easily make sense of the $MFT and other metadata files on a given Windows system. MFTECmd is also capable of parsing the $J, $Boot, $SDS and (eventually) $LogFile. Parsing the MFT will allow you to see not only the $Standard_Information (x10) timestamps that the user sees when they’re using Windows File Explorer (or an alternative), but also the $File_Name (x30) attribute which can contain long and short file name attributes that can contain additional timestamps to help identify anti-forensics artifacts such as timestomping. More about timestomping on Page 3!
To be fair, MFT Explorer and MFTECmd are two different tools, but they are one in the same in that they are Eric Zimmerman’s MFT parsing toolset. They do the same thing, but one presents itself with a GUI and the other is a command line tool.
Often for examples in this guide, I employ the $MFT from the Lone Wolf 2018 Scenario. As of December 2020, the output from KAPE can be retrieved from a GitHub repository I put together for the purpose of these EZ Tools guides. The GitHub repository can be found here.
This guide was created with those new to MFT Explorer/MFTECmd in mind, regardless of background (LE, Private, Student, etc). It should be noted the primary purpose of this guide is aimed to help break the intimidation barrier with trying out a new tool such as MFT Explorer/MFTECmd . There are certainly more advanced ways to leverage MFT Explorer/MFTECmd but they will not be covered in this guide. Maybe in a future guide!
If by the end of this guide you don’t think to yourself “hey, I can totally use this in my day to day work”, then please let me know why that’s not the case.
MFT Explorer vs. MFTECmd
Download link: Eric Zimmerman’s GitHub
Documentation: Introducing MFTECmd!
Alternative Documentation: SANS EZ Tool Command Line Poster
Command Line (MFTECmd.exe)
Screenshot (MFT Explorer – Blank)
Screenshot (MFT Explorer – Lone Wolf 2018 MFT)
Yes, there is a dark mode. Use it! Options -> Skins to customize the GUI to your liking. However, the hex might be hard to see in dark mode. In that case, revert to a different skin if you’re having issues.
Updating EZ Tools
First and foremost, make sure you have the latest version of MFT Explorer/MFTECmd. Running a PowerShell script will make sure you have all of the latest EZ Tools.
MFT Explorer/MFTECmd can be used in many scenarios, but here are two common ones that’ll apply to most everyday examiners.
The Ultimate Practice Scenario
Practice makes perfect, right? Before you use MFT Explorer/MFTECmd on evidence, use it on your own system! No one knows your system better than yourself so the artifacts you see should make sense to you. This will also help you understand the artifacts better if you’ve not had any formal training yet on Windows Artifacts. If you’ve not had training, fear not! There’s a section coming up where I’ll provide some self-study resources for these artifacts so you can approach analysis from a more informed position.
Use KAPE to run a BasicCollection or KapeTriage against your own system. With the NTFS metadata files that are copied out from the root of the C drive, drop them into MFT Explorer’s GUI or run MFTECmd against the files. Pages 2 and 3 of this guide will give visual examples on how to use these tools.
The Real World Scenario
MFT Explorer and MFTECmd parse out NTFS metadata files with speed and ease. MFT Explorer serves to be drag and drop for the end user and MFTECmd can be utilized on its own or with KAPE.
Below are some use cases for NTFS metadata file analysis using MFT Explorer/MFTECmd for the everyday law enforcement examiner:
- Identify creation/last modified timestamps for known bad files
- Once identified, look for other potentially bad files that are in temporal proximity to your known bad files
- Identify folders staging known bad files and gain further insight as to when these folders and files were created
- Identify potential timestamp manipulation of bad files
- Identify alternate data streams quickly
All of the above can help strengthen the picture you paint for your case to not only show possession of illicit material, for example, but also execution of the media players to play the illicit material, or illicit website URLs typed by the user, or artifacts showing the user saved illicit material a specific folder using a specific application. Beyond simple possession of illicit material, this can help show what was done with the illicit material to build a stronger case.
IR examiners rely on the $MFT for creation timestamps of malicious files once they are identified. Additionally, the $MFT provides great insight into when the ransomware was executed on a system because the examiner will see thousands of ransom notes generated within minutes and those entries will flood the $MFT. That allows for a good pivot point for the examiner to work back from that timestamp and use that as a book end for the incident at hand. The $MFT can also provide evidence of timestomping, which is the manual manipulation of the $Standard_Information (x10) creation timestamps. Thankfully, the $File_Name (x30) creation timestamps will be preserved and an easy comparison can be made between the two to determine the likelihood of timestomping. The $MFT can also be used to identify when a user’s account was created (i.e. creation time of the NTUSER.dat file for a specific user), which can be important in IR cases due to unauthorized actor(s) sometimes opting to create an account that they use to execute their badness on the system. This can be very helpful to know as you will be able to provide a starting bookend timestamp for that user’s account and any associated activity.