Deep Anti-Forensics: Timestomping, Rootkits, Secure Delete
The attacker has employed anti-forensic techniques: timestomping ($MFT/$STANDARD_INFORMATION manipulation), log clearing (Security.evtx wiped, journalctl truncated), NTFS alternate data stream hiding, rootkits, file-attribute masking, or secure-delete of specific indicators. Standard forensic analysis produces incomplete or misleading results.
Signals
- •File timestamps show clearly-inconsistent $STANDARD_INFORMATION vs $FILE_NAME values (MFT timestomping)
- •Event Log Security.evtx has unexpected gaps or was explicitly cleared (Event ID 1102)
- •NTFS alternate data streams exist on files in unusual locations
- •Hidden processes or kernel modules not visible to standard enumeration tools
- •Filesystem metadata suggests secure-delete activity (sdelete evidence, zeroed file content with preserved MFT entry)
Pivot Actions
- 1.Cross-reference multiple independent timeline sources ($MFT, USN Journal, prefetch, AmCache, Shimcache, EVTX) -- no single source can be trusted alone in the presence of anti-forensics
- 2.Use USN Journal ($UsnJrnl:$J) to recover deleted or cleared events; it is commonly missed by attacker cleanup
- 3.Check Volume Shadow Copies for pre-tampering file versions
- 4.For suspected rootkits, perform offline analysis from a trusted boot medium or mounted disk image rather than relying on live enumeration
- 5.Look for the anti-forensic activity itself as a separate IoC: sdelete/cipher usage, attribute normalization, Security.evtx clear events
Alternate Evidence Sources
- •USN Journal ($UsnJrnl:$J) retaining records even after files/logs are deleted
- •Volume Shadow Copies (VSS) holding pre-tampering snapshots
- •Filesystem journals ($LogFile for NTFS, journal for ext4/ext3) capturing transactional history
- •Centralized log aggregation (SIEM) that ingested logs before local tampering
- •Peer-host and network telemetry that records the same events independently