SecureArtisan

My Road to Digital Forensics Excellence

LNK Files and NTFS Anomaly

Posted by Paul Bobby on October 3, 2010

I periodically review LNK files and their timestamps either as a result of case work or because of some strangeness I observe through various experiments that I conduct. My reference for LNK file artifacts and behavior comes from the excellent paper by Harry Parsonage, the Meaning of LIFE.

My most recent encounter with LNK files came when I attempted to show that a file had been opened and ‘Saved As’ to  a new file.  The following artifacts do not show this, rather they show a surprising timestamp anomaly within NTFS.

Test Setup

  1. 2gig thumbdrive formatted NTFS
  2. LNK files were read from the Office\Recent folder on my Windows XP SP3 machine.

Test 1

Create test2test.xlsx 7:55pm
Double click to open and edit 7:56pm
Save 7:57pm
Close Excel 7:57pm

So at approximately 7:55pm I created a new spreadsheet on the thumbdrive called test2test.xlsx, opened it, added some text, and saved the file, closing Excel at 7:57pm.

The following table shows NTFS and LNK file timestamps.

NTFS Timestamps Test2test.xlsx Office\recent\test2test.xlsx.lnk
ACCESSED 19:57:30 19:56:26
CREATED 19:55:33 19:56:26
WRITTEN 19:57:30 19:56:26
MODIFIED 19:57:30 19:56:26
Internal Timestamps
ACCESSED 19:56:26
CREATED 19:55:33
WRITTEN 19:55:33

Pretty standard stuff here. The create date of the LNK file is when I first opened the spreadsheet for editing. The internal accessed timestamp is different from the accessed timestamp of test2test.xlsx. This threw me for a while, but it actually makes sense when you examine how Excel operates. Excel creates a temp file for editing (i.e. ~$test2test.xlsx). When excel closes, the last accessed timestamp of test2test.xlsx is the time when the editing was finished – why? because Excel overwrites test2test.xlsx with the contents of ~$test2test.xlsx. However the internal timestamps in the LNK file do not show this, they show when the actual file test2test.xlsx was opened. The cool thing here is that you can show how long an editing session was.

The anomalous part comes up now….

Test 2

Double click to open 8:15pm
Save as test3test.xlsx 8:15pm
Close excel 8:15pm

I opened the file test2test.xlsx, and did a Save As test3test.xlsx.

The following table shows the NTFS and LNK timestamps:

NTFS Timestamps Test2test.xlsx Office\recent\test2test.xlsx.lnk Test3test.xlsx Office\Recent\test3test.xlsx.lnk
ACCESSED 20:02:57 20:15:04 20:15:27 20:15:27
CREATED 19:55:33 19:56:26 20:15:26 20:15:27
WRITTEN 19:57:30 20:15:04 20:15:27 20:15:27
MODIFIED 20:14:48 20:15:04 20:15:27 20:15:27
Internal Timestamps
ACCESSED 20:15:04 20:15:27
CREATED 19:55:33 20:15:26
WRITTEN 19:57:30 20:15:27

There was no activity between the first set of captured timestamps and the second. The anomalous part is the Last Accessed timestamp for test2test.xlsx. Why 20:02? No idea…. The internal timestamps of the test2test.xlsx.lnk file are supposed to be the timestamps of test2test.xlsx at the time the file was opened. But when I finished my testing and started to capture timestamps for this table, the last accessed time had changed. Odd.

About these ads

One Response to “LNK Files and NTFS Anomaly”

  1. A. Thulin said

    Hypothesis: something else on the system acessed the file.

    Test: Can it be repeated consistently? In that case, it’s probably the test itself, rather than an unrelated activity.

    This kind of testing assumes that nothing else takes place on the testing system except the actual test — no AV scanning, no adware scanning, nothing. Unless the system has been specially configured for such purpose (run tests in safe mode?), modern Windows (I am assuming Windows NTFS) seem to do all kind of things behind the screens.

    I suspect the best way to protect against unexpected activities may be to turn on security logging fully. Or perhaps even better, run FileMon/ProcMon during the entire duration of the test. In either case, it should be possible to go back to check if there was any activity that may explain an apparently anomalous timestamp.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: