Replacing Original file without changing creation date
Hello, every one writing after a long time . This time i have decided to brief you all about interesting concepts of the DFIR and TH very quickly. So today we will be looking at what is File System Tunneling its demonstration
Concept in nut shell
In windows every file has the meta data associated with it which hold some information about the file as name implies. Windows cache the metadata even after the file is deleted or rename , this cache duration is by default 15 seconds. In this period if new file is created with same name, new file will acquire the metadata of the old file.
This can be abused by an attacker by deleting the original file and replacing new files with dummy data without altering the creation date and etc .
Demonstration
step1 : checking over target file
lets check the content of the A.txt
now we know what our original file contains
step2: Create new file with out modifying the creation date
Now our task is to abuse the file system tunneling and delete original file and replacing it with dummy file with dummy data and not modifying the creation the date to evade detection or making the life of forensics guy miserable. Buhahahahaha!!!
To this i will rename the A.txt with B.txt and then instruction the system to sleep for 5 seconds and then i will create new file with dummy data and same name as A.txt
now lets check what B.txt and A.txt holds now
Now if attacker wants to delete file without altering the metadata its that easy for them
That’s it for today , meanwhile you can try
del A.txt && timeout 5 && echo “windows is joke” >> A.txt
:)