File x30 timestamps

[abdelwahhab-s]

Summary

(Master File Table) MFT records have multiple timestamps labeled as x10 and x30 as in the example below. x10 are timestamps that are most commonly used and visible to the user, while the x30 are internal timestamps maintained by the file system. Mostly the x10 are used for the majority of the usecases, however for some other security usecases, both those timestamps need to be investigated to detect malicious activities like timestomping, and both the fields would be required in the events.

    "Created0x10": "<timestamp>",
    "LastModified0x10": "<timestamp>",
    "LastModified0x30": "<timestamp>",
    "LastRecordChange0x10": "<timestamp>",
    "LastRecordChange0x30": "<timestamp>",
    "LastAccess0x10": "<timestamp>",
    "LastAccess0x30": "<timestamp>"

Motivation:

A custom field might be used like "ntfs": {"created_x30": "xxx","accessed_x30":"xxx", ...} but that might be a bit a far from the file information inside the document. So It might be better to add the other timestamps with _x30 on top of the current ones under the file field.

The potential result:

"file": {
      "created": "<timestamp>",
      "accessed": "<timestamp>",
      "accessed_x30": "<timestamp>",
      "mtime": "<timestamp>",
      "mtime_x30": "<timestamp>",
      "ctime": "<timestamp>",
      "ctime_x30": "<timestamp>"
}