I'll be back in 15 seconds. Or, maybe not. File system tunneling

Hi, Minions:

This is another article, one of those that, for one reason or another, 'choke' for various reasons. I had it pending, on my 'ToDo' list, half completed, for a long, long time. And it's for that reason, because a lot of time has passed, that I've restarted all those tests that I had half completed. Because the working environment changes, because the systems change.

You could say that this article came up by chance, a very long time ago... although it has some relation with another article that I took up, also, a long time ago, and that I published under the title of 'One byte makes the difference: MFT Resident File'.

 

Introduction

We must know and understand how the systems we are analysing behave. There are a multitude of characteristics in them. These characteristics may be known or may yet be 'discovered'. Or, even, it may be the case that they are presented in some versions and not in others, as it happens, for example, with the case of the content I published in the article 'Windows and its anti-forensic side, (Plug and Play Cleanup and setupapi[.]dev)'. Some of those features may be recent or may have been there all your life. Some of these features may have a strong impact on a forensic analysis and some of these features may not have a serious impact on certain types of analysis. But that's something we won't get to know if we can't understand how those features work in systems. It is important to have a deep understanding of systems, as Harlan Carvey mentioned in an article he published on May 8, 2019, (Deep Knowledge, and the Pursuit Thereof).

There are times when we are so focused on a task that, despite observing strange behaviour in the work environment, we do not pay the attention it deserves because, apparently, it has nothing to do with the task we are carrying out at the time.

It's happened to me, and it's going to happen to me. And, surely, it has happened to you and it will happen to you.

Big mistake.

The feature I want to talk to you about today is the tunnelling of the file system. You're probably familiar with this feature, or maybe you're not familiar with it at all. In any case, I'm sure you've seen it on more than one occasion.

"It's important to have a thorough understanding of systems, but it's impossible to know everything about them.”

So, as Brett Shavers rightly says in the article he published under the title "Don't look back.  Try to keep up.  This is #DFIR."

"When you search for an answer and find it, retaining what you learn is much better than posting a question in a forum and waiting for someone to provide the answer."

 

The importance of documentation

It is vital to document yourself before starting a job.

File system tunneling is considered by some analysts to be a "somewhat obscure" feature of Windows. This feature is that when you delete a file and create another one, with the same name and in the same path, the new file created inherits the same creation date as the file that has been deleted. This happens if it is done within a certain time, (according to some articles I have been reading, that time can be up to 15 seconds, by default). That is, you have to give some specific conditions to be able to observe how this functionality reuses some metadata from another file.

"If we don't know these 'special' characteristics, we can get confused."

By not knowing this type of characteristics, we fall into confusion for not being able to give an answer, for not being able to explain, the reason for this peculiarity.

I've read and studied the articles I've found on this subject. Let's do some chronology!

Some very interesting articles have been written on this topic, although the original Microsoft documentation that mentions this feature, and that those other articles reference, is no longer available, (http://support.microsoft.com/?kbid=172190). (I asked the Infosec and DFIR community, but no one seems to have the content of that article, since no one has ever responded to me). So, right now, there is no official documentation about it. I hate that official documentation is missing.

"Lack of documentation increases confusion."

Luckily, Dan O'Day was kind enough to keep some of the content of some of those 'lost' items in his GitHub repository.

It seems that this article from Microsoft mentioned that both NTFS and FAT file systems have this peculiarity to create tunnels. I quote from the filesystem tunneling content that Dan copied into his repository and which has been mentioned by other articles as well:

"The Microsoft Windows products listed at the beginning of this article contain file system tunneling capabilities to allow compatibility with programs that rely on file systems to maintain file meta-information for a short period of time.

"When a file is deleted from a directory, (rename or delete), its short/long name pair and the time of creation are saved in a cache, along with the name that has been deleted. When a file is added to a directory, (rename or create), the cache is searched for information to restore. The cache is effective for each instance of a given directory. If a directory is deleted, the corresponding cache is removed."

"The idea is to mimic the behavior that MS-DOS programs expect when they use the secure storage method. They copy the changed data to a temporary file, delete the original and rename the temporary to the original. This should look like the original file when it is complete. Windows tunnels through the FAT and NTFS file systems to ensure that the long/short file names are preserved when 16-bit applications perform this secure storage operation.”

"The tunnel cache time can be adjusted from the default time of 15 seconds, or if the tunnel capabilities are not desirable, it can be turned off by adding a value in the Windows Registry.”

"If tunneling is disabled, applications using this secure storage method may lose the name they do not know, usually LFN, and rediscovery of the shortcut targets could be affected, as the creation timestamps cannot remain constant for files handled by such applications. Maintaining the creation timestamp is possible in the absence of tunneling if an application is smart enough. The same is not true for long file names."

"...allow compatibility with programs that rely on file systems to maintain file meta-information for a short period of time. This occurs after deleting or renaming and recreating a new directory entry with that meta-information, (if a creation or renaming occurs that causes a file with that name to appear again in a short period of time)".

……….

 

File system metadata is always cached, as you can read in this article from Microsoft's official site.

In this other article by Microsoft, dated July 15, 2005, (The apocryphal history of file system tunnelling), which already mentions the creation of tunnels in file systems, the reason for tunneling is explained, mentioning that this feature was already implemented in Windows 95.

I can't help but get excited... So much nostalgia... Windows 95...

This article also mentions that after deleting a file with a long file name, the file generated later, within a certain time, with the same name and identical location, will inherit, in addition to the creation date, the same short file name as the deleted file.

The last sentence of that article caught my attention very much:

"Fragments of information about recently deleted or renamed files are stored in data structures called 'quarks'.”

That is, according to this Microsoft article, during the tunneling effect some of the information in the affected file is temporarily saved.

Looking for information about this, I found an article published on August 22, 2007, (Windows Date Created Timestamp strangeness), which says that Windows caches the timestamp of the deleted file for some time, and that this time can be up to 8 minutes.

On April 11, 2010, Harlan already started to publish material related to this file system tunneling functionality. As mentioned by Harlan in that article, under normal circumstances, timestamps, (via timelines), already pose some difficulty in analysis. If you add to that difficulty more elements that are perhaps unknown... 'Turn off and let's go!

It is mentioned in another article, published on 7 February 2012, (File System Tunneling in Windows), that tunneling is related to the fact that some programs using the secure storage method copy the modified data to a temporary file before deleting the original file and rename the temporary file with the original file name.

File system tunneling can be disabled and can also be assigned a specific time, given in seconds. The first article I've seen that mentions this, besides the extract from the official documentation that Dan kept, is one that was published on February 24, 2014, (Microsoft Windows File System Tunneling). This article says that these two operations can be carried out by adding a key pair to the Windows Registry:

To disable the file system tunneling, simply add the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\MaximumTunnelEntries

And assign that key a value of '0'.

To modify the time of the tunneling it would be enough to add the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\MaximumTunnelEntryAgeInSeconds

And assign that key a set value in seconds.

Harlan also published another very interesting article on this subject, with interesting evidence, on July 22, 2014, (File system ops, effects on MFT records). According to the evidence he presented, he concluded that during the file system tunneling, the original file record in the MFT is marked as 'deleted' and that a new record is assigned to the new file created during that tunneling. You could also see that $UsnJrnl contains entries showing that a file system tunneling has taken place.

On August 2, 2013, Blazer Catzen published in David Cowen's Blog a good presentation on this topic, which you can download from his Google site.

I couldn't find any other material that caught my attention until Hideaki Ihara first published an article on October 12, 2018, (File System Tunneling and E:\), where he performs some tunneling tests on a USB device. Hideaki published another article, on October 19, 2018, (File System Tunneling and C:\), performing the same tests on a local disk.

Finally, more recently I found another interesting article, published on April 13, 2019, (File System Tunneling in Windows), which is very well explained, with interesting proofs, and which links to a very interesting PDF document, which you can download from Microsoft's official site. This document, titled "File System Behavior in the Microsoft Windows Environment", mentions, among other things, that FAT, NTFS and exFAT file systems support file tunnelling, while the UDF file system does not support file tunnelling.

And this is the extent of the documentation I have followed in order to study and understand tunneling. But... Even with all that has been written, I have some doubts. Doubts that I'm going to try to clear up on my own.

 

The test environment

For the tests I have carried out, I have chosen to use a Windows 10 system, in its version 18363, and a Windows 10 system, in its version 17763. Both systems have been virtualized with VirtualBox, assigning 8 GB of RAM and 4 processors to each of them.

You can download Microsoft Windows virtual machines for virtualized environments from their official site at the following links:

- https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

- https://developer.microsoft.com/es-es/windows/downloads/virtual-machines/

On each of the virtualized Windows 10 systems I performed a number of actions. More specifically, I can say that I divided the tests into the following five actions for each system:

- CCDR - Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A'.

- CCRR - Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- CDC - Create a file 'A' in a folder; delete file 'A'; and recreate a file 'A', in the same folder

- CMC - Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same folder.

- CRC - Create a file 'A' in a folder; rename file 'A' as 'B'; and create a file 'A', in the same folder.

The meaning of the abbreviations is:

- C = Create

- D = Delete

- R = Rename

- M = Move

In turn, each of these actions has been carried out under a series of conditions, combined with each other:

- A waiting time of 1400 milliseconds.

- A waiting time of 1500 milliseconds.

- A waiting time of 1600 milliseconds.

- Long file names.

- Short file names.

- A file size of 512 bytes.

- A file size of 4096 bytes.

At the same time, all these tests have been executed:

- On a system with a default configuration.

- On a system with tunneling disabled.

- On a system with a certain tunneling value.

- On a system with a maximum tunneling value.

- In a system with the creation of short names disabled.

- In a system with timestamp updating disabled.

These are just some of the possible combinations I've come up with, but there's more. Even so, you can calculate the total number of runs I have carried out, on both systems, and get an idea of the time spent on all these tests, and their subsequent analysis. You can rest assured, because I will not expose all the results I have obtained in the tests. I'll just stick to those that I think are of interest. But don't miss out on a good cup of coffee ;) 

Each of the actions, described above, has been automated by a small script in PowerShell, with the following structure

During the execution of each one of these scripts I have proceeded to extract the files '$MFT' and '$LogFile', with the OSForensics tool, in its portable version, (You can use any other, like FTK Imager Lite). The extraction of these files has been carried out just after the creation of the first file and just after the execution of the script. That is, both elements have been extracted twice, for each execution, in order to compare the before and after information.

Similarly, I have allowed a total of 300 seconds to elapse, just after preparing the files for the tunnel effect. 300 seconds is more than enough time for the extraction of the necessary elements, for its later analysis, and to carry out some screenshots with the tool Active@ Disk Editor, in order to study the different attributes and metadata of each one of the treated files.

Regarding the processing of the extracted '$MFT' and '$LogFile' files, I have chosen to use the FTE and MFTECmd tools for the analysis of the '$MFT', (for the contrasting data and other weird things I like to do), and the LogFileParser tool for the analysis of the '$LogFile'.

A short version...

Thank you, statistics!! I have been able to verify, thanks to the statistics, that you will not spend more than two minutes reading any of my articles. That's why I'm going to present now, and not at the end, as I usually do, a brief summary of the work done.

The file system tunneling will become visible, according to my tests, if the actions are carried out within 15000 milliseconds, on a system with a default configuration. All this, regardless of the size of the file and the type of file name, with one exception.

Tunneling is generated when:

- A file 'A' is created in the folder 'X', a file 'B' is created in the folder 'X', file 'A' is deleted and file 'B' is renamed to 'A'.

- A file 'A' is created in the folder 'X', a file 'B' is created in the folder 'X', file 'A' is renamed as 'C' and file 'B' is renamed as 'A'.

- A file 'A' is created in the folder 'X', file 'A' is deleted, another file 'A' is created in the folder 'X'.

- A file 'A' is created in the folder 'X', file 'A' is moved to the folder 'Z' and another file 'A' is created in the folder 'X'.

- A file 'A' is created in the folder 'X', the file 'A' is renamed as 'B' and another file 'A' is created in the folder 'X'.

Of the cases mentioned above, the only exception where the tunnel effect will not be generated is in the case of combining a long file name with its short name equivalent.

If file system tunneling is disabled, it will not occur under any conditions, except for the very action of overwriting a file.

You can customize the file system tunneling time, up to a maximum, determined in seconds.

The maximum time the file system can be tunnelled is 71000 milliseconds.

Disabling the creation of short file names, (8.3), also disables the tunnelling of the file system, since tunnelling is based on such names.

Disabling the update of timestamps does not affect the tunnel effect. That is, even if this function is disabled, it is still generated.

Not in all cases a new entry is assigned in the MFT for the file causing the tunnel effect. In fact, in those actions that imply the elimination of file 'A', the entry in the MFT is reused, for file 'B'. This has been seen by disabling the file system tunneling, by disabling the creation of short names, (8.3), and in the case of file overwriting.

We will not always find, when a tunnel effect is generated, a discordance in the creation dates of the attributes 'SI' and 'FN'. In fact, there will be occasions when we must base the study on the discordance of dates within the 'SI' attribute.

The answer to the explanation of a tunnel effect will be found in the analysis of the '$LogFile' file.

 

Testing in a Default System

 

CCDR

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 29-05-2020 at 16:12:45. This file was assigned the entry number 93994 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-14-LFN02', in the same folder, at 16:12:55. This second file was assigned entry number 93996 in the MFT.

After waiting 300 seconds, the file was deleted with the name '512-14-LFN01' and, after a wait of 14000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupied the entry number 93994 in the MFT, has been deleted and, the file '512-14-LFN02', which occupies the entry 93996 in the MFT, has now been renamed '512-14-LFN01'.

Regarding the time stamps, the renamed file was created on 29-05-2020 at 16:12:55, (in green). However, as you can see, by renaming it with the same file name as the deleted one, it acquires the creation date of that deleted file, at 16:12:45, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 01-06-2020 at 10:23:22. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-15-LFN02', in the same folder, at 10:23:32. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was deleted with the name '512-15-LFN01' and, after a wait of 15000 milliseconds, the file was renamed '512-15-LFN02' to '512-15-LFN01'.

As you can see from the above table extracts, the file '512-15-LFN01', which occupied the entry number 93893 in the MFT, has been deleted and, the file '512-15-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-15-LFN01'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a short name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 30-05-2020 at 15:05:08. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file with the short name '512-14~2', which is the equivalent of a short name 8.3, was created in the same folder at 15:05:18. This second file was assigned the entry number 93996 in the MFT.

After waiting for 300 seconds, the file was deleted with the name '512-14-LFN01' and, after a wait of 14000 milliseconds, the file '512-14~2' was renamed to '512-14~2', which is the equivalent of the short name 8.3 of the file '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupied the entry number 93893 in the MFT, has been deleted and, the file '512-14~2', which occupies the entry 93996 in the MFT, has now been renamed '512-14~1'.

Regarding the time stamps, in both cases the original dates are shown for each of the two files, so in this case, with a waiting time of 14000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a short name

- Create a 512-byte 'B' file with a short name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the short name '512-14~1' was created in the system in the 'Test' folder, on 01-06-2020 at 05:26:59. This file was assigned the entry number 93893 in the MFT. After waiting for 10 seconds, a second file with the long name '512-14~2' was created in the same folder at 05:27:09.

After waiting 300 seconds, the file was deleted with the name '512-14~1' and after a wait of 14000 milliseconds, the file was renamed '512-14~2' to '512-14~1'.

As you can see from the table extracts above, the file '512-14~1', which originally occupied the entry number 93893, is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 05:33:08. On the other hand, the file '512-14~2', which occupies the 94000 entry in the MFT, has now been renamed '512-14~1'.

As far as timestamps are concerned, the renamed file was created on 01-06-2020 at 05:27:09, (in green). However, as you can see, when you rename it with the same file name as the deleted one, it acquires the creation date of that deleted file, at 05:26:59, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a short name

- Create a 512-byte 'B' file with a short name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the short name '512-15~1' was created in the system in the 'Test' folder, on 02-06-2020 at 09:09:28. This file was assigned the entry number 93893 in the MFT. After waiting for 10 seconds, a second file with the short name '512-15~1' was created in the same folder at 09:09:38. This second file was assigned the entry number 94000 in the MFT.

After waiting 300 seconds, the file was deleted with the name '512-15~1' and after a wait of 15000 milliseconds, the file was renamed '512-15~2' to '512-15~1'.

As you can see from the above table excerpts, the file '512-15~1', which originally occupied the entry number 93893, is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 09:15:42. On the other hand, the file '512-15~2', which occupies the entry 94000 in the MFT, has now been renamed '512-15~1'.

As far as time stamps are concerned, in both cases the original dates for the file '512-15~1' are shown, so in this case, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 4096 byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 31-05-2020 at 14:20:22. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-14-LFN02', in the same folder, at 14:20:32. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was deleted with the name '512-14-LFN01' and, after a wait of 14000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupied the entry number 93893 in the MFT, has been deleted and, the file '512-14-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-14-LFN01'.

As far as time stamps are concerned, the renamed file was created on 31-05-2020 at 14:20:32, (in green). However, as you can see, by renaming it with the same file name as the deleted one, it acquires the creation date of that deleted file, at 14:20:22, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 4096 byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 02-06-2020 at 18:23:35. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file with the long name '512-15-LFN02' was created in the same folder at 18:23:46. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was deleted with the name '512-14-LFN01' and, after a wait of 15000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the extracts of the previous tables, the file '512-15-LFN01', which originally occupied the entry number 93893, is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings. ini', from the Active Disk Editor application, at 18:30:02. On the other hand, the file '512-15-LFN02', which occupies the 94000 entry in the MFT, has now been renamed '512-15-LFN01'.

Regarding the timestamps, in both cases the original dates for the file '512-15-LFN01' are shown, so in this case, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 4096 byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '4096_512_14_Seconds01' was created in the system in the 'Test' folder, on 02-06-2020 at 09:18:09. After waiting 10 seconds, a second file was created with the long name '4096_512_14_Seconds02', in the same folder, at 09:18:19. This second file was assigned entry number 94001 in the MFT.

After waiting 300 seconds, the file was deleted with the name '4096_512_14_Seconds01' and, after a wait of 14000 milliseconds, the file '4096_512_14_Seconds02' was renamed to '4096_512_14_Seconds01'.

As you can see from the above table extracts, the file '4096_512_14_Seconds01', which occupied the entry number 93893 in the MFT, has been deleted and, the file '4096_512_14_Seconds02', which occupies the entry 94001 in the MFT, has now been renamed '4096_512_14_Seconds01'.

Regarding the time stamps, the renamed file was created on 02-06-2020 at 09:18:19, (in green). However, as you can see, when you rename it with the same file name as the deleted one, it acquires the creation date of that deleted file, at 09:18:09, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '4096_512_15_Seconds01' was created in the system in the 'Test' folder, on 02-06-2020 at 09:25:51. This file was assigned entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '4096_512_15_Seconds02', in the same folder, at 09:26:01.

After waiting 300 seconds, the file was deleted with the name '4096_512_15_Seconds01' and, after a wait of 15000 milliseconds, the file '4096_512_15_Seconds02' was renamed to '4096_512_15_Seconds01'.

As you can see from the above table extracts, the file '4096_512_15_Seconds01', which occupied the entry number 93893 in the MFT, has been deleted and, the file '4096_512_15_Seconds02', which occupies the entry 94000 in the MFT, has now been renamed '4096_512_15_Seconds01'.

With regard to the time stamps, in both cases the original dates are shown for each of the two files, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

CCRR

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 29-05-2020 at 15:54:55. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-14-LFN02', in the same folder, at 15:55:06. This second file was assigned entry number 93995 in the MFT.

After waiting 300 seconds, the file was renamed '512-14-LFN01' to '512-14-LFN03' and, after a wait of 14000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-14-LFN02', which occupies the entry 93995 in the MFT, has now been renamed '512-14-LFN01'.

As far as time stamps are concerned, the file renamed from '512-14-LFN02' to '512-14-LFN01' was created on 29-05-2020 at 15:55:06, (in green). However, as you can see, when you rename it with the same file name as the one previously renamed to '512-14-LFN03', it acquires the creation date of that renamed file, at 15:54:55, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 01-06-2020 at 10:32:25. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-15-LFN02', in the same folder, at 10:32:36. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was renamed '512-15-LFN01' to '512-15-LFN03' and, after a wait of 15000 milliseconds, the file was renamed '512-15-LFN02' to '512-15-LFN01'.

As you can see from the above table extracts, the file '512-15-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-15-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-15-LFN01'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a short name

- Rename the file 'A' as 'C

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 30-05-2020 at 15:13:13. This file was assigned the entry number 93893 in the MFT. After waiting for 10 seconds, a second file with the short name '512-14~2', which is the equivalent of a short name 8.3, was created in the same folder at 15:13:23. This second file was assigned the entry number 93996 in the MFT.

After waiting 300 seconds, the file was renamed '512-14-LFN01' to '512-14-LFN03' and after a wait of 14000 milliseconds, the file was renamed '512-14~2' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-14~2', which occupies the entry 93996 in the MFT, has now been renamed '512-14-LFN01'.

Regarding time stamps, the file renamed from '512-14~2' to '512-14-LFN01' was created on 30-05-2020 at 15:13:23, (in green). However, as you can see, when you rename it with the same file name as the one renamed before to '512-14-LFN03', it acquires the creation date of that renamed file, at 15:13:13, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a short name

- Rename the file 'A' as 'C

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 02-06-2020 at 09:56:02. This file was assigned the entry number 93893 in the MFT. After waiting for 10 seconds, a second file with the short name '512-15~2', which is the equivalent of a short name 8.3, was created in the same folder at 09:56:11. This second file was assigned the entry number 94001 in the MFT.

After waiting for 300 seconds, the file was renamed '512-15-LFN01' to '512-15-LFN03' and after a wait of 15000 milliseconds, the file was renamed '512-15~2' to '512-15-LFN01'.

As you can see from the above table extracts, the file '512-15-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-15~2', which occupies the entry 94000 in the MFT, has now been renamed '512-15-LFN01'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a short name

- Create a 512-byte 'B' file with a short name

- Rename the file 'A' as 'C

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the short name '512-14~1' was created in the system in the 'Test' folder, on 01-06-2020 at 05:35:48. This file was assigned the entry number 93893 in the MFT. After waiting for 10 seconds, a second file with the short name '512-14~2' was created in the same folder at 05:35:58. This second file was assigned the entry number 94000 in the MFT.

After waiting 300 seconds, the file was renamed '512-14~1' to '512-14~3' and after a wait of 14000 milliseconds, the file was renamed '512-14~2' to '512-14~1'.

As you can see from the above table extracts, the file '512-14~1', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-14~2', which occupies the entry 94000 in the MFT, has now been renamed '512-14~1'.

As far as timestamps are concerned, the file renamed from '512-14~2' to '512-14~1' was created on 01-06-2020 at 05:35:58, (in green). However, as you can see, when you rename it with the same file name as the one renamed before to '512-14~3', it acquires the creation date of that renamed file, at 05:35:48, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a short name

- Create a 512-byte 'B' file with a short name

- Rename the file 'A' as 'C

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14~1' was created in the system in the 'Test' folder, on 02-06-2020 at 10:27:39. This file was assigned the entry number 93893 in the MFT. After waiting for 10 seconds, a second file with the short name '512-14~2' was created in the same folder at 10:27:49.

After waiting for 300 seconds, the file was renamed '512-15~1' to '512-15~3' and after a wait of 15000 milliseconds, the file was renamed '512-15~2' to '512-15~1'.

As you can see from the above table extracts, the file '512-15~1', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-15~2', which occupies the entry 94002 in the MFT, has now been renamed '512-15~1'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 4096 byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 31-05-2020 at 14:29:32. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-14-LFN02', in the same folder, at 14:29:42. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was renamed '512-14-LFN01' to '512-14-LFN03' and, after a wait of 14000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-14-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-14-LFN01'.

Regarding time stamps, the file renamed from '512-14-LFN02' to '512-14-LFN01' was created on 31-05-2020 at 14:29:42, (in green). However, as you can see, when you rename it with the same file name as the one previously renamed to '512-14-LFN03', it acquires the creation date of that renamed file, at 14:29:32, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 4096 byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 02-06-2020 at 10:05:54. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file with the long name '512-15-LFN02' was created in the same folder at 10:06:04. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was renamed '512-15-LFN01' to '512-15-LFN03' and, after a wait of 15000 milliseconds, the file was renamed '512-15-LFN02' to '512-15-LFN01'.

As you can see from the above table extracts, the file '512-15-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-15-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-15-LFN01'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 4096 byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 14000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 02-06-2020 at 11:21:07. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file with the long name '512-14-LFN02' was created in the same folder at 11:21:17. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was renamed '512-14-LFN01' to '512-14-LFN03' and, after a wait of 14000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-14-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-14-LFN01'.

Regarding time stamps, the file renamed from '512-14-LFN02' to '512-14-LFN01' was created on 02-06-2020 at 11:21:17, (in green). However, as you can see, when you rename it with the same file name as the one previously renamed to '512-14-LFN03', it acquires the creation date of that renamed file, at 11:21:07, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 4096 byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 15000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 02-06-2020 at 11:29:49. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-15-LFN02', in the same folder, at 11:29:59. This second file was assigned entry number 94000 in the MFT.

After waiting 300 seconds, the file was renamed '512-15-LFN01' to '512-15-LFN03' and, after a wait of 15000 milliseconds, the file was renamed '512-15-LFN02' to '512-15-LFN01'.

As you can see from the above table extracts, the file '512-15-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-15-LFN02', which occupies the entry 94000 in the MFT, has now been renamed '512-15-LFN01'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

CDC

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 29-05-2020 at 17:27:12. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512-14-LFN' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14-LFN'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT, has been deleted. Similarly, the file '512-14-LFN', which occupies the entry 93011 in the MFT, has been created.

As far as the timestamps are concerned, the last file created, which occupies the entry number 93011, was created on 29-05-2020 at 17:32:26. However, as you can see, when it is created with the same file name as the previously deleted one, it acquires the creation date of that deleted file, at 17:27:12, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN' was created in the system in the 'Test' folder, on 01-06-2020 at 15:51:03. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file named '512-15-LFN' was deleted and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-15-LFN'.

As you can see from the table extracts above, the file '512-15-LFN', which occupied the entry number 93893 in the MFT, has been deleted and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', in the Active Disk Editor application, at 15:57:26. In the same way, the file '512-15-LFN' has been created, which occupies the entry 93751 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 31-05-2020 at 05:27:08. This file was assigned the entry number 93893 in the MFT. 

After waiting for 300 seconds, the file with the name '512-14-LFN' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-14~1'.

As you can see in the previous table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT, has been removed and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 15:57:26. Similarly, the file '512-14~1' has been created, which occupies the entry 93751 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so with a timeout of 14000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a short name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder


In this test, as you can see in the previous animated image, a file with the short name '512-14~1' was created in the system in the 'Test' folder, on 01-06-2020 at 05:45:26. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512-14~1' was deleted and after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-14~1'.

As you can see from the table extracts above, the file '512-14~1', which occupied the entry number 93893 in the MFT, has been deleted and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 05:51:30. Similarly, the file '512-14~1' has been created, which occupies the entry 93750 in the MFT.

As far as time stamps are concerned, the last file created, which occupies entry number 93750, was created on 01-06-2020 at 05:50:40. However, as you can see, when it is created with the same file name as the previously deleted one, it acquires the creation date of that deleted file, at 05:45:26, (in red), showing, in the other time stamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a short name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder


In this test, as you can see in the previous animated image, a file with the short name '512-15~1' was created in the system in the 'Test' folder, on 02-06-2020 at 16:00:10. This file was assigned the entry number 93893 in the MFT.

After waiting 300 seconds, the file with the name '512-15~1' was deleted, and after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-15~1'.

As you can see from the table extracts above, the file '512-15~1', which occupied the entry number 93893 in the MFT, has been deleted and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', in the Active Disk Editor application, at 16:06:20. Similarly, the file '512-15~1' has been created, which occupies the entry 93011 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 4096 byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512_4096_14_Seconds' was created in the system in the 'Test' folder, on 31-05-2020 at 14:39:16. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512_4096_14_Seconds' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512_4096_14_Seconds'.

As you can see from the table extracts above, the file '512_4096_14_Seconds', which occupied the entry number 93893 in the MFT, has been deleted. Similarly, the file '512_4096_14_Seconds' has been created, which occupies the entry 92614 in the MFT.

As far as time stamps are concerned, the last file created, which occupies entry number 92614, was created on 31-05-2020 at 14:44:30. However, as you can see, by creating it with the same file name as the previously deleted one, it acquires the creation date of that deleted file, at 14:39:16, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Re-create a 4096 byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512_4096_15_Seconds' was created in the system in the 'Test' folder, on 02-06-2020 at 15:50:46. 

After waiting 300 seconds, the file with the name '512_4096_15_Seconds' was deleted and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '512_4096_15_Seconds'.

As you can see from the table extracts above, the file '512_4096_15_Seconds', which occupied the entry number 93893 in the MFT, has been removed and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 15:57:04. Similarly, the file '512_4096_15_Seconds' has been created, which occupies the entry 93751 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 4096 byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '4096_512_14_Seconds' was created in the system in the 'Test' folder, on 02-06-2020 at 16:08:23. This file was assigned entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '4096_512_14_Seconds' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '4096_512_14_Seconds'.

As you can see from the table extracts above, the file '4096_512_14_Seconds', which occupied the entry number 93893 in the MFT, has been removed and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 16:14:48. In the same way, the file '4096_512_14_Seconds' has been created, which occupies the entry 93750 in the MFT.

Regarding the timestamps, the last file created, which occupies the entry number 93750, was created on 02-06-2020 at 16:13:37. However, as you can see, when it is created with the same file name as the previously deleted one, it acquires the creation date of that deleted file, at 16:08:23, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 4096 byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '4096_512_15_Seconds' was created in the system in the 'Test' folder, on 02-06-2020 at 16:16:20. This file was assigned entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '4096_512_15_Seconds' was deleted and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '4096_512_15_Seconds'.

As you can see from the table extracts above, the file '4096_512_15_Seconds', which occupied the entry number 93893 in the MFT, has been removed and is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'ht_settings.ini', from the Active Disk Editor application, at 16:22:32. In the same way, the file '4096_512_15_Seconds' has been created, which occupies the entry 93751 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

CMC

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 30-05-2020 at 06:41:18. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file named '512-14-LFN' was moved to the 'Moved' folder and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14-LFN'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512-14-LFN', which occupies the entry 93011 in the MFT, has been created.

Regarding the time stamps, the last file created, which occupies the entry number 93011, was created on 30-05-2020 at 06:46:33. However, as you can see, when creating it with the same file name as the previously moved, it acquires the creation date of that moved file, at 06:41:18, (in red), presenting, in the other time stamps, the original date of creation of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN' was created in the system in the 'Test' folder, on 01-06-2020 at 10:53:41. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file named '512-15-LFN' was moved to the 'Moved' folder and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-15-LFN'.

As you can see from the above table extracts, the file '512-15-LFN', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512-15-LFN', which occupies the entry 92614 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder where it was originally created


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 31-05-2020 at 05:35:37. This file was assigned the entry number 93893 in the MFT. 

After waiting for 300 seconds, the file named '512-14-LFN' was moved to the 'Moved' folder and, after waiting for 14000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-14~1'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512-14~1', which occupies the entry 93751 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 14000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder where it was originally created


In this test, as you can see in the previous animated image, a file with the short name '512-14~1' was created in the system in the 'Test' folder, on 01-06-2020 at 05:53:16. This file was assigned the entry number 93893 in the MFT. 

After waiting for 300 seconds, the file named '512-14~1' was moved to the 'Moved' folder and, after waiting for 14000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-14~1'.

As you can see from the above table extracts, the file '512-14~1', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512-14~1', which occupies the entry 93751 in the MFT, has been created.

Regarding the time stamps, the last file created, which occupies the entry number 93751, was created on 01-06-2020 at 05:58:30. However, as you can see, by creating it with the same file name as the previous one, it acquires the creation date of that moved file, at 05:53:16, (in red), showing, in the other time stamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a short name

- Move file 'A' to another folder

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder where it was originally created


In this test, as you can see in the previous animated image, a file with the short name '512-15~1' was created in the system in the 'Test' folder, on 02-06-2020 at 16:52:09. This file was assigned the entry number 93893 in the MFT. 

After waiting for 300 seconds, the file named '512-15~1' was moved to the 'Moved' folder, and after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-15~1'.

As you can see from the above table extracts, the file '512-15~1', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512-15~1', which occupies the entry 93750 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 14000 milliseconds

- Re-create a 4096 byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512_4096_14_Seconds' was created in the system in the 'Test' folder, on 31-05-2020 at 18:06:41. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512_4096_14_Seconds' was moved to the 'Moved' folder and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the long name '512_4096_14_Seconds'.

As you can see from the table extracts above, the file '512_4096_14_Seconds', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512_4096_14_Seconds', which occupies entry 93750 in the MFT, has been created.

Regarding the time stamps, the last file created, which occupies the entry number 93750, was created on 31-05-2020 at 18:11:55. However, as you can see, when it is created with the same file name as the previously moved, it acquires the creation date of that moved file, at 18:06:41, (in red), showing, in the other time stamps, the original date of creation of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 512-byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 15000 milliseconds

- Re-create a 4096 byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512_4096_15_Seconds' was created in the system in the 'Test' folder, on 02-06-2020 at 16:43:24. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512_4096_15_Seconds' was moved to the 'Moved' folder and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512_4096_15_Seconds'.

As you can see from the table extracts above, the file '512_4096_15_Seconds', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '512_4096_15_Seconds', which occupies the entry 93751 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 4096 byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '4096_512_14_Seconds' was created in the system in the 'Test' folder, on 02-06-2020 at 17:00:12. This file was assigned entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '4096_512_14_Seconds' was moved to the 'Moved' folder and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the long name '4096_512_14_Seconds'.

As you can see from the table extracts above, the file '4096_512_14_Seconds', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '4096_512_14_Seconds', which occupies the entry 93751 in the MFT, has been created.

Regarding the time stamps, the last file created, which occupies the entry number 93751, was created on 02-06-2020 at 17:05:26. However, as you can see, when it is created with the same file name as the previously moved, it acquires the creation date of that moved file, at 17:00:12, (in red), showing, in the other time stamps, the original date of creation of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; move the 'A' file to another folder; and recreate an 'A' file, in the same original folder

- Create a 4096 byte 'A' file with a long name

- Move file 'A' to another folder

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '4096_512_15_Seconds' was created in the system in the 'Test' folder, on 02-06-2020 at 17:09:15. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '4096_512_15_Seconds' was moved to the 'Moved' folder and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the short name '4096_512_15_Seconds'.

As you can see from the table extracts above, the file '4096_512_15_Seconds', which occupied the entry number 93893 in the MFT, has been moved. Similarly, the file '4096_512_15_Seconds', which occupies entry 93750 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

CRC

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 30-05-2020 at 11:15:16. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed '512-14-LFN' and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14-LFN'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT, has been renamed to 'New_512-14-LFN'. Similarly, the file '512-14-LFN', which occupies the entry 92614 in the MFT, has been created.

Regarding the time stamps, the last file created, which occupies the entry number 92614, was created on 30-05-2020 at 11:20:30. However, as you can see, when you create it with the same file name that you renamed before, it acquires the creation date of that renamed file, at 11:15:16, (in red), showing, in the other time stamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN' was created in the system in the 'Test' folder, on 01-06-2020 at 11:03:37. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed '512-15-LFN' and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-15-LFN'.

As you can see from the above table extracts, the file '512-15-LFN', which occupied the entry number 93893 in the MFT, has been renamed to 'New_512-15-LFN'. Similarly, the file '512-15-LFN', which occupies the entry 92614 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder where it was originally created


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 31-05-2020 at 05:44:22. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed to '512-14-LFN' and after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14~1'.

As you can see from the above table extracts, the file '512-15-LFN', which occupied the entry number 93893 in the MFT, has been renamed to 'New_512-14-LFN'. Similarly, the file '512-14~1' has been created, which occupies the entry 93750 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so with a timeout of 14000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a short name

- rename the file 'A

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder where it was originally created


In this test, as you can see in the previous animated image, a file with the short name '512-14~1' was created in the system in the 'Test' folder, on 01-06-2020 at 06:02:39. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed to '512-14~1' and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14~1'.

As you can see from the above table extracts, the file '512-14~1', which occupied the entry number 93893 in the MFT, has been renamed to 'N51214LFN'. Similarly, the file '512-14~1', which occupies the entry 92614 in the MFT, has been created.

As far as the timestamps are concerned, the last file created, which occupies the entry number 92614, was created on 01-06-2020 at 06:07:53. However, as you can see, when it is created with the same file name as the previously renamed one, it acquires the creation date of that renamed file, at 06:02:39, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a short name

- rename the file 'A

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder where it was originally created


In this test, as you can see in the animation above, a file with the short name '512-15~1' was created in the system in the 'Test' folder, on 04-06-2020 at 11:33:33. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed to '512-15~1' and after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-15~1'.

As you can see from the above table extracts, the file '512-15~1', which occupied the entry number 93893 in the MFT, has been renamed to 'N51215LFN'. Similarly, the file '512-15~1', which occupies the entry 93750 in the MFT, has been created.

As far as time stamps are concerned, the original dates for the newly created file are shown, so with a timeout of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 14000 milliseconds

- Re-create a 4096 byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512_4096_14_Seconds' was created in the system in the 'Test' folder, on 31-05-2020 at 14:58:26. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed '512_4096_14_Seconds' and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512_4096_14_Seconds'.

As you can see from the above table extracts, the file '512_4096_14_Seconds', which occupied the entry number 93893 in the MFT, has been renamed to 'New_512_4096_14_Seconds'. Similarly, the file '512_4096_14_Seconds' has been created, which occupies the entry 92614 in the MFT.

As far as time stamps are concerned, the last file created, which occupies entry number 92614, was created on 31-05-2020 at 15:03:40. However, as you can see, when you create it with the same file name that was renamed before, it acquires the creation date of that renamed file, at 14:58:26, (in red), showing, in the other time stamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 512-byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 14000 milliseconds

- Re-create a 4096 byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '512_4096_15_Seconds' was created in the system in the 'Test' folder, on 04-06-2020 at 10:25:28. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed '512_4096_15_Seconds' and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '512_4096_15_Seconds'.

As you can see from the above table extracts, the file '512_4096_15_Seconds', which occupied the entry number 93893 in the MFT, has been renamed to 'New_512_4096_15_Seconds'. Likewise, the file '512_4096_15_Seconds' has been created, which occupies the entry 92614 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 4096 byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '4096_512_14_Seconds' was created in the system in the 'Test' folder, on 04-06-2020 at 17:39:51. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed '4096_512_14_Seconds' and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '4096_512_14_Seconds'.

As you can see from the table extracts above, the file '4096_512_14_Seconds', which occupied the entry number 93893 in the MFT, has been renamed to 'New_4096_512_14_Seconds'. Similarly, the file '4096_512_14_Seconds' has been created, which occupies entry 93750 in the MFT.

As far as time stamps are concerned, the last file created, which occupies entry number 93750, was created on 04-06-2020 at 17:45:05. However, as you can see, when you create it with the same file name as the one previously renamed, it acquires the creation date of that renamed file, at 17:39:51, (in red), showing, in the other time stamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; rename the 'A' file; and create an 'A' file again, in the same original folder

- Create a 4096 byte 'A' file with a long name

- rename the file 'A

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same original creation folder


In this test, as you can see in the previous animated image, a file with the long name '4096_512_15_Seconds' was created in the system in the 'Test' folder, on 03-06-2020 at 07:50:58. This file was assigned entry number 93893 in the MFT. 

After waiting 300 seconds, the file was renamed '4096_512_15_Seconds' and, after a wait of 15000 milliseconds, another file of the same size was created again, in the same folder, with the name '4096_512_15_Seconds'.

As you can see from the above table extracts, the file '4096_512_15_Seconds', which occupied the entry number 93893 in the MFT, has been renamed to 'New_4096_512_15_Seconds'. Similarly, the file '4096_512_15_Seconds' has been created, which occupies entry 93750 in the MFT.

As far as time stamps are concerned, the original dates for the newly created file are shown, so, with a waiting time of 15000 milliseconds, no tunnel effect has been generated.

 

Disabling File System Tunneling

As I said at the beginning of the article, you can disable the file system tunneling. To do this, add the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\MaximumTunnelEntries”, in the Windows Registry, set a value of '0', and reboot the system so that the new configuration applies.

Once this configuration is applied, if we now execute any of the actions seen before, we will obtain as a result that in no case a tunnel effect is generated.

As an example, I'll show a single test, with a timeout of 10,000 milliseconds, instead of the 14,000 seen so far.

 

CCRR

Create a file 'A' in a folder; create a file 'B', in the same folder; rename file 'A' as 'C'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Rename the file 'A' as 'C

- Set a timeout of 10,000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-15-LFN01' was created in the system in the 'Test' folder, on 06-06-2020 at 15:28:08. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-15-LFN02', in the same folder, at 15:28:18. This second file was assigned entry number 94050 in the MFT.

After waiting 300 seconds, the file was renamed '512-15-LFN01' to '512-15-LFN03' and, after a wait of 10,000 milliseconds, the file was renamed '512-15-LFN02' to '512-15-LFN01'.

As you can see from the above table extracts, the file '512-15-LFN01', which occupies the entry number 93893 in the MFT, has been renamed and still occupies the same entry and, the file '512-15-LFN02', which occupies the entry 94050 in the MFT, has now been renamed '512-15-LFN01'.

As far as time stamps are concerned, in both cases the original dates are shown for each of the two files, so, with a waiting time of 10,000 milliseconds, no tunnel effect has been generated.

 

Overwriting files, with file system tunneling disabled

While testing with the file system tunneling disabled, I came across another unexpected test, as I didn't have it in mind. It consists of overwriting a file with another file of the same name. So, what I did was to execute a first tunneling test and, once finished, to execute again the same test so that the generated file was overwritten, in order to observe its behavior.

 

CDCC

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder

- Re-create a 512-byte 'A' file with a long name in the same folder, overwriting the previous one


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 06-06-2020 at 15:03:08. This file was assigned entry number 4203 in the MFT. 

After waiting 300 seconds, the file with the name '512-14-LFN' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14-LFN'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 4203 in the MFT when the file was first created, still occupies the same entry, with the same file name.

Regarding the time stamps, the deleted file '512-14-LFN' was created on 06-06-2020 at 15:03:08, creating again a file with the same name '512-14-LFN', after a waiting time of 14000 milliseconds, on 06-06-2020 at 15:08:18, presenting correctly the time stamp of the creation of that file. This indicates that, in this case, with a timeout of 14000 milliseconds, no tunnel effect has been generated.

I create another file with the same name of '512-14-LFN' to overwrite the existing one.

As you can see in the extracts of the previous tables, the file '512-14-LFN' that has been generated to overwrite the previous file, has in its creation date the day 06-06-2020 at 15:08:18, (in red), being, its correct creation date, the day 06-06-2020 at 15:11:26.

 

Setting a specific time in the file system tunneling

As I also said at the beginning of the article, just as you can disable file system tunneling, you can set a certain time in seconds for this tunneling effect to be generated. To do this, you should add the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\MaximumTunnelEntryAgeInSeconds”, in the Windows Registry, set a numerical value in seconds, and reboot the system so that the new configuration is applied.

 

Once this configuration is applied, if we now execute any of the actions seen before, we will obtain as a result that a tunnel effect is generated within the established time values.

As an example, I'll show a single test below, with a timeout of 50,000 milliseconds, instead of the 14,000 seen so far.

 

CCDR

Create a file 'A' in a folder; create a file 'B', in the same folder; delete file 'A'; and rename file 'B' as 'A

- Create a 512-byte 'A' file with a long name

- Create a 512-byte 'B' file with a long name

- Delete the 'A' file

- Set a timeout of 50,000 milliseconds

- Rename file 'B' to 'A


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN01' was created in the system in the 'Test' folder, on 08-06-2020 at 08:25:39. This file was assigned the entry number 93893 in the MFT. After waiting 10 seconds, a second file was created with the long name '512-14-LFN02', in the same folder, at 08:25:48. This second file was assigned entry number 94051 in the MFT.

After waiting 300 seconds, the file was deleted with the name '512-14-LFN01' and, after a wait of 50000 milliseconds, the file was renamed '512-14-LFN02' to '512-14-LFN01'.

As you can see from the above table extracts, the file '512-14-LFN01', which originally occupied the entry number 93893, is no longer available in the MFT, as that entry has been replaced by another one that now belongs to the file 'StartupProfileData-NonInteractive', by PowerShell, at 08:31:45. On the other hand, the file '512-15-LFN02', which occupies the entry 94051 in the MFT, has now been renamed '512-15-LFN01'.

Regarding timestamps, the renamed file was created on 08-06-2020 at 08:25:48, (in green). However, as you can see, by renaming it with the same file name as the deleted one, it acquires the creation date of that deleted file, at 08:25:39, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 50000 milliseconds, a tunnel effect has been generated.

 

Disabling the creation of short file names, (8.3)

It was said at the beginning of this article that "The idea, (of file system tunneling) is to imitate the behavior that MS-DOS programs expect when they use the secure storage method.”

MS-DOS works with short file names, (8.3). Thus, another way to disable file system tunneling is to disable the creation of short file names on the system. To do this, the value of the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation” key in the Windows Registry must be changed to '1', and the system restarted to apply the new settings.

 

Once this configuration is applied, if we now execute any of the actions seen before, we will obtain as a result that in no case a tunnel effect is generated.

As an example, I'll show two tests below, with long file names and short file names, and a timeout of 14000 milliseconds.

 

CDC

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 18-06-2020 at 09:55:54. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512-14-LFN' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14-LFN'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT when the file was first created, still occupies the same entry, with the same file name.

Regarding the time stamps, the deleted file '512-14-LFN' was created on 18-06-2020 at 09:55:54, creating again a file with the same name '512-14-LFN', after a waiting time of 14000 milliseconds, on 18-06-2020 at 10:01:05, presenting correctly the time stamp of the creation of that file. This indicates that, in this case, with a waiting time of 14000 milliseconds, no tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a short name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a short name in the same folder


In this test, as you can see in the previous animated image, a file with the short name '512-15~1' was created in the system in the 'Test' folder, on 18-06-2020 at 10:16:00. This file was assigned the entry number 92610 in the MFT. 

After waiting 300 seconds, the file with the name '512-15~1' was deleted, and after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the short name '512-15~1'.

As you can see from the above table extracts, the file '512-15~1', which occupied the entry number 92610 in the MFT when the file was first created, still occupies the same entry, with the same file name.

Regarding the time stamps, the deleted file '512-15~1' was created on 18-06-2020 at 10:16:00, creating again a file with the same name '512-15~1', after a waiting time of 14000 milliseconds, on 18-06-2020 at 10:21:14, presenting correctly the time stamp of the creation of that file. This indicates that, in this case, with a timeout of 14000 milliseconds, no tunnel effect has been generated.

 

Disabling last access update

If you're one of those people who questions everything, (I do), you might be wondering if, by disabling the timestamp update of the last access to a file. Let's look at it.

To do this, you must change the value of the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate”, in the Windows Registry, setting this value to '1', and rebooting the system so that the new configuration is applied.

Once this configuration is applied, if we now execute any of the actions seen before, we will obtain as a result that the tunnel effect continues to be generated in the same way.

As an example, I'll show a single test below, with a timeout of 14000 milliseconds.

 

CDC

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 14000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512-14-LFN' was created in the system in the 'Test' folder, on 18-06-2020 at 10:40:27. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512-14-LFN' was deleted and, after a wait of 14000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-14-LFN'.

As you can see from the above table extracts, the file '512-14-LFN', which occupied the entry number 93893 in the MFT, has been deleted. Similarly, the file '512-14-LFN', which occupies the entry 90569 in the MFT, has been created.

Regarding the timestamps, the last file created, which occupies the entry number 90569, was created on 18-06-2020 at 10:45:41. However, as you can see, when created with the same file name as the previously deleted, it acquires the creation date of that deleted file, at 10:40:27, (in red), presenting, in the other timestamps, the original date of creation of the file. This indicates that, in this case, with a waiting time of 14000 milliseconds, a tunnel effect has been generated.

 

Determining a maximum tunneling value

Is there a maximum value for file system tunneling and can it be calculated? It can, yes. As with everything, it's a matter of time, and will.

To do this, I have modified the value of the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\MaximumTunnelEntryAgeInSeconds”, in the Windows Registry, setting this value to '86400', (which is equivalent to one day converted to seconds), and rebooting the system so that the new configuration is applied.

With this configuration, I carried out the tests again, varying the waiting time in seconds and, in this way, I was able to determine that, in my case, in my tests, with a waiting time of 71 seconds a tunnel effect is generated, while, with a waiting time of 72 seconds, it is not generated. Thus, according to my results, the maximum tunneling time is 71 seconds.

I will now present both tests.

 

CDC

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 71000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512-71-LFN' was created in the system in the 'Test' folder, on 11-06-2020 at 08:41:57. This file was assigned the entry number 93893 in the MFT. 

After waiting 300 seconds, the file with the name '512-71-LFN' was deleted and, after a wait of 71000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-71-LFN'.

As you can see from the above table extracts, the file '512-71-LFN', which occupied the entry number 93893 in the MFT, has been deleted. Similarly, the file '512-71-LFN', which occupies the entry 86001 in the MFT, has been created.

Regarding the time stamps, the last file created, which occupies the entry number 86001, was created on 11-06-2020 at 08:48:14. However, as you can see, by creating it with the same file name as the previously deleted one, it acquires the creation date of that deleted file, at 08:41:57, (in red), showing, in the other timestamps, the original creation date of the file. This indicates that, in this case, with a waiting time of 71000 milliseconds, a tunnel effect has been generated.

 

Create an 'A' file in a folder; delete the 'A' file; and recreate an 'A' file in the same folder

- Create a 512-byte 'A' file with a long name

- Delete the 'A' file

- Set a timeout of 15000 milliseconds

- Re-create a 512-byte 'A' file with a long name in the same folder


In this test, as you can see in the previous animated image, a file with the long name '512-72-LFN' was created in the system in the 'Test' folder, on 11-06-2020 at 08:50:27. This file was assigned the entry number 90575 in the MFT. 

After waiting 300 seconds, the file with the name '512-72-LFN' was deleted and, after a wait of 72000 milliseconds, another file of the same size was created again, in the same folder, with the name '512-72-LFN'.

As you can see from the above table extracts, the file '512-72-LFN', which occupied the entry number 90575 in the MFT when the file was first created, still occupies the same entry, with the same file name.

Regarding the time stamps, the deleted file '512-72-LFN' was created on 11-06-2020 at 08:50:27, creating again a file with the same name '512-72-LFN', after a waiting time of 72000 milliseconds, on 11-06-2020 at 08:56:37, presenting correctly the time stamp of the creation of that file. This indicates that, in this case, with a waiting time of 14000 milliseconds, no tunnel effect has been generated.

 

How do we explain that a tunnel effect has been created?

Where should we go when we find discrepancies in the time marks? Where can we explain that a tunnel effect has occurred? The answer can be found in the '$LogFile'. The '$LogFile' is a file that records all the changes that occur in a file and therefore affect an NTFS volume. All changes involve all the metadata, the attributes, of a file. Therefore, if we take into account that everything in an NTFS file system is a file, we get that any action taken in the system will be recorded in this log. 

As you can see in the table above, we have, on the one hand, that a file was created with the name '4096_512_14_Seconds' on 02-06-2020 at 16:08:23, (in green). The file was created in the folder assigned to the entry 92342 in the MFT, which corresponds to the folder named 'Test'. The file was assigned the entry 93893 in the MFT. On 02-06-2020 at 16:13:23 the file '4096_512_14_Seconds', (in red), which had the entry 93893 assigned in the MFT and which was located in the folder 'Test', whose entry number in the MFT is 92342, was deleted. Again, a file was created with the name '4096_512_14_Seconds', on 02-06-2020 at 16:13:37, (in green), which was assigned the entry 93750 in the MFT. This last file was created in the same 'Test' folder, whose entry in the MFT is number 92342.

On the other hand, we have that the MFT entry with number 93893, which was previously occupied by the file '4096_512_14_Seconds', was reassigned to the file 'he_settings.ini', on 02-06-2020 at 16:14:48, hosted in a different folder.

 

Conclusions

Some people believe that file system tunneling does not have a strong impact on forensic analysis. I believe it does. Why do I believe this? Because, if we are unable to explain an event, how will we be able to find the answers to the questions we are asking? If we are not able to explain how and why tunnel effects are generated, how can we find the truth in our investigations?

There are already times when understanding a timeline is very difficult. Understanding this particularity, moreover, gives it one more handicap, because we have to be able to spin one event with another, in order to provide a context for a certain action.

I propose the following example: You are performing a forensic analysis of a system where a user had a certain content in a file. This user states that someone wanted to frame him, changing the content of the file in question, (put here a content of an illicit nature). In the analysis of the MFT you find only one reference to that file, which has in the attributes of 'SI' and 'FN' the same date of creation, although there are discrepancies in the other dates. If you do not know this peculiarity of Windows systems, you will not be able to explain what happened. If you cannot explain what happened, you cannot find the truth. And, if you cannot find the truth, the user will be affected in the final result of the analysis.

But come on, that's just a curious opinion in this field of DFIR.

 

That's all,

Marcos

Share:
spacer

No hay comentarios:

Publicar un comentario