Mon, Jun 13, 2022

Identifying Indicators of Timestomping with .LNK Files

Article 4 of Sophisticated Anti-Forensics Tactics and How to Spot Them Series: Timestomping

Similar to the tactics used to identify timestomping by parsing the $MFT using KAPE, .LNK files are another relevant item that can help find indicators of timestomping. A .LNK file is a shortcut that is used to reference an original (source) file, folder or application. A new .LNK file is created when a user opens a file for the first time. These .LNK files can contain target information, including target file name, target created date, target modified date, target accessed date and the location of the original file that the .LNK file is referencing. When a file is timestomped, only the original file’s timestamps change, but not the timestamps of the associated .LNK file. Once a file has been opened after it has been timestomped, the associated .LNK file’s metadata updates to reflect the timestomped value(s) of the original file. This is a monumental indicator of timestomping and makes analysis of .LNK files that much more relevant during an incident response investigation.

In this scenario, the following variables are used:   

  • Target source: C:\
  • Target destination: D:\Tutorial\tout
  • Module destination: D:\Tutorial\mout
  • Target: LnkFilesAndJumpLists
  • Module: LECmd
  • Debug messages

Figure 1 shows an example of a file created on the desktop named test.txt. The file was then opened, which generated a .LNK file, test.txt.lnk. KAPE was then used to acquire the relevant artifacts on the workstation and parse them into CSV output. The CSV output can be analyzed using Timeline Explorer in order to examine the Source and Target timestamps. 

Timeline Explorer with Source and Target timestamps before timestomping

Figure 1 – test.txt.lnk file shown in Timeline Explorer with Source and Target timestamps before timestomping

Next, we timestomped the test.txt file that resided on the desktop using the Set Time feature in NewFileTime . We then opened the test.txt file to generate updated timestamps within the .LNK file. Using KAPE, we can reacquire and parse the .LNK files to view the updated metadata of the test.txt.lnk file in Timeline Explorer. Figure 2 shows the updated metadata of test.txt.lnk in Timeline Explorer.

Timeline Explorer with Source and Target timestamps after timestomping

Figure 2 – test.txt.lnk file shown in Timeline Explorer with Source and Target timestamps after timestomping

Timestomping the test.txt file only affected the created 0x10 timestamp within the file’s $MFT entry. This timestamp is stored within a .LNK file as the Target Created timestamp. Because the Source Created timestamp relates to the Created 0x10 timestamp for the .LNK file itself, opening the test.txt file appears to update the Target Created timestamp within the test.txt.lnk file to match the timestomped value of the test.txt (Figure 2).

With the Source Created timestamp for the .LNK file itself remaining as 2021-10-24 20:04:00, it appears suspicious that a .LNK file was created before a file was created on disk. Since a .LNK file is created when a file is opened for the first time, it would seem unlikely for the Target Created timestamp of test.txt to be a later date than the Source Created timestamp of test.txt.lnk unless there is timestomping involved.

.LNK files do not reference the timestamps in the $MFT  for the referenced file in a live manner, and only appears to refresh the target file’s timestamps once the file is opened again. This is important because a threat actor would want to hide the action of timestomping and may not reopen the original file that has been timestomped. However, if the file has been reopened after being timestomped, the associated .LNK file would reflect the timestomped value for the original file in the Target Created timestamp value. Along with additional context, .LNK files can provide useful insight into a threat actor’s activities within a compromised network.

Related Articles

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.