A simple tool for analyzing temporal inconsistencies in the NTFS file system using causality-based rules introduced by Svein Yngvar Willassen.
The tool implements the following causality rules described in the paper:
- Allocation Sequence Causality
- Sequence Number Causality
These rules were introduced in the paper:
Additionally, the tool utilizes the Hypertimeline concept to identify cycle formations that may indicate antedating or manipulation of file system artifacts.
The Hypertimeline concept is based on:
Hypertimeline approach is simulated by custom in-memory engine using the petgraph library for graph representation and cycle detection.
Allocation Sequence Causality uses the first-fit allocation strategy of NTFS to establish temporal relationships. The sequence number combined with the position of the entry in the MFT defines the implicit order of allocation.
The file creation timestamp residing in the $STANDARD_INFORMATION attribute is utilized as the explicit timestamp for the allocation event. The rule correlates the pair (MFT position, sequence number) with the creation timestamp to identify inconsistencies.
For more information, please refer to the original paper by Willassen.
In NTFS, there are two different systematic counters that are strictly increasing:
-
Logical Sequence Number (LSN) Used by the
$LogFileto uniquely identify a single log record. It can also be found in the header section of each MFT entry. -
Update Sequence Number (USN) Used by the
$UsnJrnlto uniquely identify a single journal record. It can also be found in the$STANDARD_INFORMATIONattribute of each MFT entry.
For the sequence number causality rule, these counters are utilized to define the sequence of events, representing the implicit order. The record change timestamp located in the $STANDARD_INFORMATION attribute is selected as the explicit timestamp to correlate with the implicit order defined by the LSN and USN values.
The principle is straightforward: when comparing two different MFT entries, if one entry has a larger LSN or USN value than the other, it must also have a more recent record change timestamp. Since these counters are strictly increasing, a higher value implies that a more recent file system operation must have been performed on that entry.
For more information, please refer to the original paper by Willassen.
Run the tool:
NTFS-Temporal-Causality --file <NTFS_IMAGE> --offset <PARTITION_OFFSET> --causality <CAUSALITY_RULE> [--sector-size <BYTES>] [--ignore-dos] [--ignore-dirs] [--ignore-files <MFT_IDS>]Arguments:
Arguments
-f, --file <FILE>
NTFS image file path.
-o, --offset <OFFSET>
Offset to start of NTFS partition in bytes (refer to Sleuth-Kit mmls).
-c, --causality <CAUSALITY_RULE>
Causality rule to apply. Possible values (from clap::ValueEnum):
allocation-sequence-causality
logical-sequence-number-causality
update-sequence-number-causality
--sector-size <SECTOR_SIZE>
Sector size in bytes. Default: 512.
--ignore-dos
Ignore OS-related files.
--ignore-dirs
Ignore directory entries.
--ignore-files <IGNORE_FILES>
Comma-separated list of file MFT record IDs to ignore (e.g., 5,6,7).
- Allocation Sequence Causality, ignoring OS files and directories:
NTFS-Temporal-Causality -f disk.img -o 1048576 -c allocation-sequence-causality --ignore-dos --ignore-dirs- LSN causality:
NTFS-Temporal-Causality -f disk.img -o 1048576 -c logical-sequence-number-causality- USN causality, ignoring specific MFT records:
NTFS-Temporal-Causality -f disk.img -o 1048576 -c update-sequence-number-causality --ignore-files 5,6,7