Thanks this solved a mystery for me... IMO this creates more problems that it solves. Especially in conjunction with file synchronization.
@gerowen2 күн бұрын
I don't get what legitimate purpose this could serve in modern operating systems. I mean, if you accidentally delete a file, then restore it from the recycle bin within the time limit, since it was never deleted from the drive, wouldn't the original creation date still be attached to the file? And if I fully delete a file and put a new one by the same name in that same folder, I would want my system to treat it like a new file, because it is.
@13CubedКүн бұрын
This is used for "safe save" and similar behavior, where the end user is not going to be expecting a new file even though one is created behind the scenes to facilitate the operation.
@JohnWilliams-gy5yc2 күн бұрын
Man, I've never seen the "COPY CON" idiom since the last millenium and the powershell. Is the new ReFS also affected by this thing?
@13CubedКүн бұрын
Good question on ReFS. I haven't seen any documentation about File System Tunneling and that file system, nor have I tested it.
@ssnkhan2 күн бұрын
Is Kansa abandonware? It was featured heavily in SANS FOR508, but it seems the project hasn’t seen any updates in two years.
@13CubedКүн бұрын
It seems that way, sadly. But, at least the framework can be easily adapted as you need and can still prove to be quite useful.
@davidioanhedges2 күн бұрын
No other OS/Filesystem does this, Microsoft working round bad programming then having to support that forever no matter how garbage that is
@travisleabeck25722 күн бұрын
I had to change the creation date of a project i had to turn in 5 days late last semester because i got locked out of my college account and the teacher said she would check the metadata. For some reason the date modified and creation date were set to the latest time of modification which had been that morning. Thankfully she had told me that she would check this which allowed me to find a way to edit the metadata. Instead of docking me 10 points per day, she only docked me 25 total
@IanPrest3 күн бұрын
You can just set whatever timestamp you want using the `SetFileTime` API, so I don't know why a threat actor would jump through hoops like this to manipulate the timestamp. Similarly, if I was doing any forensics, I wouldn't rely on the timestamps for anything.
@TheRealStevenPolley3 күн бұрын
I'm sorry, but this is disgusting to me. It feels like this problem is being solved at the wrong layer.
@sennheiser19863 күн бұрын
there's enough tools to change file timestamps... so this "trick" is kinda useless
@13Cubed3 күн бұрын
Excellent! I'll be sure and let the threat actors know.
@overand3 күн бұрын
Raymond Chen is the best! (OR, if he happens to read this: "THE Raymond Chen?")
@SusanAmberBruce3 күн бұрын
Fascinating
@SpiritmanProductions3 күн бұрын
With the name 'tunnelling', I thought this was going to involve some quantum effect lol
@hansmaulwurf90514 күн бұрын
Levels, levels.
@derDooFi4 күн бұрын
Oh yeah I did indeed know about this because a couple of years ago I tried to set up a caching mechanism where a fresh file wouldbe generated if the stale one’s create date was too old. Turns out the modify date is more trustworthy…
@natbarmore4 күн бұрын
Ugh. Yet another way that I can’t trust MS is providing/preserving accurate data and metadata.
@BobFrTube4 күн бұрын
Too clever by a half. There is a danger in wiring a single use case and getting perverse results. In the Internet we got buffer bloat because some old line network operators did us a "favor" by buffering and thus breaking TCP. The name swapping technique is good practice and the programmers who care can also copy the creation date so why does the file system need to favors rather than encourage better practice in applications?
@der.Schtefan4 күн бұрын
I think this is a leftover from DOS compatibility with long file names. Hence also why the name is misleading. It is part of a larger feature set regarding LFN interactions, when a Dos box would safe save, or manipulate a ~1 file. Microsoft tunnels the LFN vFat Filesystem to the 16 bit Dos 8.3 Filesystem, and this is just one leftover part of it.
@RaceBanner_5 күн бұрын
This is not to be confused with Windows Settings Tunneling which allows settings code as far back as Windows95 to still show up even today. Bill Gates travels in these tunnels at night.
@jsrodman5 күн бұрын
No, is the answer to the question. If an application uses the create, write, rename swizzle, it is a new file, and only a weirdo would expect a creation time in the past. What an insane feature to solve a nonproblem.
@jsrodman5 күн бұрын
If an app wants to swizzle and imply it is just writing, there are totally reasonable system calls to copy the metadata over.
@JohnDlugosz5 күн бұрын
2048 in hex is a rather odd value to type. In decimal of course that's a power of two. In hex I would expect a round number like 800.
@micmacha5 күн бұрын
Or maybe we could just, I don't know, *stop using a 31-year-old flawed file system like NTFS already*. Just a thought. Throwing that out there.
@13Cubed5 күн бұрын
NTFS is actually an incredibly advanced journaling file system, even compared to modern alternatives. A lot of this "legacy debt" is in place for backwards compatibility.
@marcinz175 күн бұрын
Amazing courses! Are there any plans for linux forensics?
@13Cubed5 күн бұрын
Yes! Investigating Linux Devices is open for waitlisting now. Should be released in the next 30 days.
@dlbiggins5 күн бұрын
I do remember that writing security software back in the mid '90s, this "feature" caused us a certain amount of hassle. As someone else noted, it was necessary in maintaining the consistency of long filenames. At the time, given the way that MS handled the mix of 8.3 and LFN, putting that on the application would likely have been a disaster of incompatible application approaches. I guess you had to be there. It was a different time.
@chamaleon13045 күн бұрын
Something changed with Win11 ? Thumbcacheviewer opens the db-files under Win10Pro 19042 but under Win 11 Pro 22631 it tells me "The file is not a thumbs databse.". But when i copy the thumbcache.db from Win11 to Win10, i can open it. Do you know why?
@TheRealEtaoinShrdlu5 күн бұрын
Omg, this is pretty scary.
@joetheprogrammer06 күн бұрын
When I read the title, I first thought it was some kind of equivalent to Unix domain sockets. Not sure how the name tunneling related to this metadata manipulation.
@13Cubed5 күн бұрын
Yep, it was an odd naming choice, but that's what it's called.
@satibel6 күн бұрын
tbh for the case of a virus you can just set the creation time (and accessed/modified), so imo not an issue. the only place where it might be remotely relevant is if you have a limited rce exploit (e.g. limited to file creation), and you need user interaction and the file creation timestamp changing is something relevant, but that's a scenario that basically only exists in pixie land. in the vast majority of cases where the timestamp is relevant, you will have access to changing the timestamp.
@KTSpeedruns6 күн бұрын
The registry baffles me. Nobody creating something as big as an OS today would dare have so much of the vital settings all collected in a single file with settings way too cryptic to understand. Windows is always one corrupted file away from simply not functioning properly.
@rufiorogue6 күн бұрын
Sqlite stores the whole db in a single file, should have told them prob
@xTerminatorAndy4 күн бұрын
@@rufiorogue but what os uses sqlite for all of its settings?
@alexparker77916 күн бұрын
i want to save files in-place, atomically, and transactionally but don't have any APIs for that. so "tunnelling" it is i guess
@SirKenchalot6 күн бұрын
This whole feature seems like a bit of a hack; why doesn't Windows just offer safe saving as a feature so it could do all this under the hood without exposing this potential weakness or possibility for misleading data?
@nopes53876 күн бұрын
This has potential to help restore corruption and file problems that you were trying to get rid of in the first place
@servermadum72977 күн бұрын
Thanks for video <3
@NestorCustodio8 күн бұрын
Every single sentence where you explained what "file system tunneling" *is* was a massive red flag and yet another clue that *this is not something that should have ever existed*. 🤦 Manipulating file metadata based on *assumptions about what the user probably expects* instead of providing developers the means to set the metadata correctly themselves based on what they know they're doing has "Microsoft" written all over it.
@JonRowlison8 күн бұрын
Wouldn't it have just been cleaner to clone the original filename entry/entries for the temporary file and THEN just remove the original entry and free the blocks once we're done writing the updated file to the drive? This tunneling seems archaic in a modern filesystem. (And yes, clone the metadata including the original creation date... so it doesn't change in the copy.)
@13Cubed8 күн бұрын
Perhaps... that is a question for the original developers, but agreed that the entire concept of File System Tunneling is very strange...hence the video :)
@edwardscrase61368 күн бұрын
Do entries in the list persist past power cycling? Also dont antivirus scanners trigger stuff of these dates?
@13Cubed8 күн бұрын
What list are you referring to? Power cycling the box right after performing an action that would normally utilize File System Tunneling would preclude the behavior I demonstrated from happening. In other words, delete file a.exe. Reboot. Create file a.exe in the same location. This would result in the creation date (B) being set to current time, and not the time of the previous a.exe file. As for your AV question, yes, Access Times may be updated as a result of AV scans, which is yet another reason why this is one of the least reliable timestamps in Windows (from a forensics perspective).
@AviDrissman9 күн бұрын
To be fair this was critical on Win 95 for long file names. If a DOS program did a “safe save” on a file with a ~1 shortname the long name would be lost, so tunneling to keep the LFN would be important.
@Alfred-Neuman2 күн бұрын
Starting Windows 95... _
@VcSaJen9 күн бұрын
How is this a threat? If you have write access, you usually can outright edit file metadata without any workarounds.
@13Cubed8 күн бұрын
Not necessarily that easy. Keep in mind that a given file in Windows on an NTFS file system can have up to 20 timestamps! kzread.info/dash/bejne/qpmZ2Nt8oaacYqg.html
@MrNerdHair6 күн бұрын
@@13CubedThat's horrifying.
@dawnrazor9 күн бұрын
Does this feature exist on Linux or Mac systems?
@13Cubed9 күн бұрын
No, this is a Windows-exclusive feature.
@hackdesigner9 күн бұрын
Did not know about this feature, great example of building for the customer. Threats tho... why bother if you just can make an API call or even launch a 1-liner in powershell to set that AND date-modified, etc?
@13Cubed9 күн бұрын
Because some of those methods only affect $SI timestamps, and not $FN timestamps.
@ashwindersingh1811 күн бұрын
Does this DSStoreParser script work for anyone? Is there a new tool etc?
@13Cubed11 күн бұрын
I was not aware that it no longer worked. You might try this: github.com/hanwenzhu/.DS_Store-parser, though I have not yet tested it.
@donwald343611 күн бұрын
Unix approach: applications should do the right thing. Microsoft approach: we'll do weird shit so that applications can keep doing the wrong thing. How typical lol.
@AppleyardAndy11 күн бұрын
I remember when programs would check creation dates for internal integrity checks. Of course that's going back to the DOS days.
@tech_guyOO711 күн бұрын
Is this only for $SI or is $FN changed as well
@13Cubed11 күн бұрын
Both. :)
@myne0011 күн бұрын
If you're attacking a machine and have any half decent level of access, it's surely far simpler to just change the clock for a few seconds. No?
@13Cubed11 күн бұрын
Sure, but there are ways that can be detected.
@robert-skibelo12 күн бұрын
Tunneling is a totally inappropriate name for it. Typical Microsoft, they're never able to name anything in a way that makes sense to end users.
@mfaizsyahmi5 күн бұрын
This was created in the late-80s-early-90s when the modern sense of tunneling doesn't exist yet.
@xTerminatorAndy4 күн бұрын
@@mfaizsyahmi but the concept of a tunnel being something you use to transport something from a to b to, did exist and even in that context it doesn't make sense
@natbarmore4 күн бұрын
@@mfaizsyahmialso, depending when exactly, tunneling might’ve already existed as a computer networking term. I was definitely aware of the concept of tunneling 1 network protocol within another by ‘95, and AppleTalk over Ethernet goes back to the ‘80s (though I can’t remember if we referred to it as “tunneling” at the time). In any case, I’m with OP: nothing is being “tunneled” in any colloquial or technical sense and what is being cached and manipulated isn’t a “file system”, it’s “a file” or “file metadata”, depending on how you want to look at it.
@tantalus_complex3 күн бұрын
@@xTerminatorAndy I don't think it is fair to presume that it is poorly named based only on a very high level overview of what may be only _one_ effect of a more complicated system. If a deepdive reveals it as a poor naming choice, fine. But we don't have enough information in this video to serve that purpose.
@xTerminatorAndy3 күн бұрын
@@tantalus_complex sure. my comment only represents the opinion of one very sad individual. I give it to you for free. Thank you for your feedback 🙂
@tsclly237712 күн бұрын
The reason to have hard back-ups in your safe.
@jyotigaur24212 күн бұрын
Nice video But i have one doubt In one of my live analysis i have seen the created date is 12 Feb but modified date is 11 feb How is that possible And i know for sure the file is malicious
@13Cubed11 күн бұрын
If a file was seemingly modified before it was created, it's likely the result of a file copy operation. There are a few videos on the channel that go into detail about this if you are interested.
@t0mn8r3512 күн бұрын
Interesting.
@Strodie56713 күн бұрын
Ah, but there are plenty of 3rd party tools that allow you to change the creation date of a file to an arbitrary timestamp. so the malware creators could just use the techniques followed by those tools. And there are very legitimate reasons to change the creation date. One example is a feature of ExifTools that allows you to set it to the DateTimeOriginal EXIF tag for JPEG files. That way, the creation date of a photograph file will match the time at which it was taken, which is totally legitimate and very useful.
@steveproper127013 күн бұрын
I'm sure I've heard of this, under a different term. I will probably just refer to this as windows tampered file system or W T F for short. I mean file system tunneling is a completely different thing. That's a costly system resource on equipment and time; perhaps it all takes place on the cache. Probably only does this for certain apps or file types. For me, file manager only changed the modification date, and then only if I changed the file by a bit.
Пікірлер
Thanks this solved a mystery for me... IMO this creates more problems that it solves. Especially in conjunction with file synchronization.
I don't get what legitimate purpose this could serve in modern operating systems. I mean, if you accidentally delete a file, then restore it from the recycle bin within the time limit, since it was never deleted from the drive, wouldn't the original creation date still be attached to the file? And if I fully delete a file and put a new one by the same name in that same folder, I would want my system to treat it like a new file, because it is.
This is used for "safe save" and similar behavior, where the end user is not going to be expecting a new file even though one is created behind the scenes to facilitate the operation.
Man, I've never seen the "COPY CON" idiom since the last millenium and the powershell. Is the new ReFS also affected by this thing?
Good question on ReFS. I haven't seen any documentation about File System Tunneling and that file system, nor have I tested it.
Is Kansa abandonware? It was featured heavily in SANS FOR508, but it seems the project hasn’t seen any updates in two years.
It seems that way, sadly. But, at least the framework can be easily adapted as you need and can still prove to be quite useful.
No other OS/Filesystem does this, Microsoft working round bad programming then having to support that forever no matter how garbage that is
I had to change the creation date of a project i had to turn in 5 days late last semester because i got locked out of my college account and the teacher said she would check the metadata. For some reason the date modified and creation date were set to the latest time of modification which had been that morning. Thankfully she had told me that she would check this which allowed me to find a way to edit the metadata. Instead of docking me 10 points per day, she only docked me 25 total
You can just set whatever timestamp you want using the `SetFileTime` API, so I don't know why a threat actor would jump through hoops like this to manipulate the timestamp. Similarly, if I was doing any forensics, I wouldn't rely on the timestamps for anything.
I'm sorry, but this is disgusting to me. It feels like this problem is being solved at the wrong layer.
there's enough tools to change file timestamps... so this "trick" is kinda useless
Excellent! I'll be sure and let the threat actors know.
Raymond Chen is the best! (OR, if he happens to read this: "THE Raymond Chen?")
Fascinating
With the name 'tunnelling', I thought this was going to involve some quantum effect lol
Levels, levels.
Oh yeah I did indeed know about this because a couple of years ago I tried to set up a caching mechanism where a fresh file wouldbe generated if the stale one’s create date was too old. Turns out the modify date is more trustworthy…
Ugh. Yet another way that I can’t trust MS is providing/preserving accurate data and metadata.
Too clever by a half. There is a danger in wiring a single use case and getting perverse results. In the Internet we got buffer bloat because some old line network operators did us a "favor" by buffering and thus breaking TCP. The name swapping technique is good practice and the programmers who care can also copy the creation date so why does the file system need to favors rather than encourage better practice in applications?
I think this is a leftover from DOS compatibility with long file names. Hence also why the name is misleading. It is part of a larger feature set regarding LFN interactions, when a Dos box would safe save, or manipulate a ~1 file. Microsoft tunnels the LFN vFat Filesystem to the 16 bit Dos 8.3 Filesystem, and this is just one leftover part of it.
This is not to be confused with Windows Settings Tunneling which allows settings code as far back as Windows95 to still show up even today. Bill Gates travels in these tunnels at night.
No, is the answer to the question. If an application uses the create, write, rename swizzle, it is a new file, and only a weirdo would expect a creation time in the past. What an insane feature to solve a nonproblem.
If an app wants to swizzle and imply it is just writing, there are totally reasonable system calls to copy the metadata over.
2048 in hex is a rather odd value to type. In decimal of course that's a power of two. In hex I would expect a round number like 800.
Or maybe we could just, I don't know, *stop using a 31-year-old flawed file system like NTFS already*. Just a thought. Throwing that out there.
NTFS is actually an incredibly advanced journaling file system, even compared to modern alternatives. A lot of this "legacy debt" is in place for backwards compatibility.
Amazing courses! Are there any plans for linux forensics?
Yes! Investigating Linux Devices is open for waitlisting now. Should be released in the next 30 days.
I do remember that writing security software back in the mid '90s, this "feature" caused us a certain amount of hassle. As someone else noted, it was necessary in maintaining the consistency of long filenames. At the time, given the way that MS handled the mix of 8.3 and LFN, putting that on the application would likely have been a disaster of incompatible application approaches. I guess you had to be there. It was a different time.
Something changed with Win11 ? Thumbcacheviewer opens the db-files under Win10Pro 19042 but under Win 11 Pro 22631 it tells me "The file is not a thumbs databse.". But when i copy the thumbcache.db from Win11 to Win10, i can open it. Do you know why?
Omg, this is pretty scary.
When I read the title, I first thought it was some kind of equivalent to Unix domain sockets. Not sure how the name tunneling related to this metadata manipulation.
Yep, it was an odd naming choice, but that's what it's called.
tbh for the case of a virus you can just set the creation time (and accessed/modified), so imo not an issue. the only place where it might be remotely relevant is if you have a limited rce exploit (e.g. limited to file creation), and you need user interaction and the file creation timestamp changing is something relevant, but that's a scenario that basically only exists in pixie land. in the vast majority of cases where the timestamp is relevant, you will have access to changing the timestamp.
The registry baffles me. Nobody creating something as big as an OS today would dare have so much of the vital settings all collected in a single file with settings way too cryptic to understand. Windows is always one corrupted file away from simply not functioning properly.
Sqlite stores the whole db in a single file, should have told them prob
@@rufiorogue but what os uses sqlite for all of its settings?
i want to save files in-place, atomically, and transactionally but don't have any APIs for that. so "tunnelling" it is i guess
This whole feature seems like a bit of a hack; why doesn't Windows just offer safe saving as a feature so it could do all this under the hood without exposing this potential weakness or possibility for misleading data?
This has potential to help restore corruption and file problems that you were trying to get rid of in the first place
Thanks for video <3
Every single sentence where you explained what "file system tunneling" *is* was a massive red flag and yet another clue that *this is not something that should have ever existed*. 🤦 Manipulating file metadata based on *assumptions about what the user probably expects* instead of providing developers the means to set the metadata correctly themselves based on what they know they're doing has "Microsoft" written all over it.
Wouldn't it have just been cleaner to clone the original filename entry/entries for the temporary file and THEN just remove the original entry and free the blocks once we're done writing the updated file to the drive? This tunneling seems archaic in a modern filesystem. (And yes, clone the metadata including the original creation date... so it doesn't change in the copy.)
Perhaps... that is a question for the original developers, but agreed that the entire concept of File System Tunneling is very strange...hence the video :)
Do entries in the list persist past power cycling? Also dont antivirus scanners trigger stuff of these dates?
What list are you referring to? Power cycling the box right after performing an action that would normally utilize File System Tunneling would preclude the behavior I demonstrated from happening. In other words, delete file a.exe. Reboot. Create file a.exe in the same location. This would result in the creation date (B) being set to current time, and not the time of the previous a.exe file. As for your AV question, yes, Access Times may be updated as a result of AV scans, which is yet another reason why this is one of the least reliable timestamps in Windows (from a forensics perspective).
To be fair this was critical on Win 95 for long file names. If a DOS program did a “safe save” on a file with a ~1 shortname the long name would be lost, so tunneling to keep the LFN would be important.
Starting Windows 95... _
How is this a threat? If you have write access, you usually can outright edit file metadata without any workarounds.
Not necessarily that easy. Keep in mind that a given file in Windows on an NTFS file system can have up to 20 timestamps! kzread.info/dash/bejne/qpmZ2Nt8oaacYqg.html
@@13CubedThat's horrifying.
Does this feature exist on Linux or Mac systems?
No, this is a Windows-exclusive feature.
Did not know about this feature, great example of building for the customer. Threats tho... why bother if you just can make an API call or even launch a 1-liner in powershell to set that AND date-modified, etc?
Because some of those methods only affect $SI timestamps, and not $FN timestamps.
Does this DSStoreParser script work for anyone? Is there a new tool etc?
I was not aware that it no longer worked. You might try this: github.com/hanwenzhu/.DS_Store-parser, though I have not yet tested it.
Unix approach: applications should do the right thing. Microsoft approach: we'll do weird shit so that applications can keep doing the wrong thing. How typical lol.
I remember when programs would check creation dates for internal integrity checks. Of course that's going back to the DOS days.
Is this only for $SI or is $FN changed as well
Both. :)
If you're attacking a machine and have any half decent level of access, it's surely far simpler to just change the clock for a few seconds. No?
Sure, but there are ways that can be detected.
Tunneling is a totally inappropriate name for it. Typical Microsoft, they're never able to name anything in a way that makes sense to end users.
This was created in the late-80s-early-90s when the modern sense of tunneling doesn't exist yet.
@@mfaizsyahmi but the concept of a tunnel being something you use to transport something from a to b to, did exist and even in that context it doesn't make sense
@@mfaizsyahmialso, depending when exactly, tunneling might’ve already existed as a computer networking term. I was definitely aware of the concept of tunneling 1 network protocol within another by ‘95, and AppleTalk over Ethernet goes back to the ‘80s (though I can’t remember if we referred to it as “tunneling” at the time). In any case, I’m with OP: nothing is being “tunneled” in any colloquial or technical sense and what is being cached and manipulated isn’t a “file system”, it’s “a file” or “file metadata”, depending on how you want to look at it.
@@xTerminatorAndy I don't think it is fair to presume that it is poorly named based only on a very high level overview of what may be only _one_ effect of a more complicated system. If a deepdive reveals it as a poor naming choice, fine. But we don't have enough information in this video to serve that purpose.
@@tantalus_complex sure. my comment only represents the opinion of one very sad individual. I give it to you for free. Thank you for your feedback 🙂
The reason to have hard back-ups in your safe.
Nice video But i have one doubt In one of my live analysis i have seen the created date is 12 Feb but modified date is 11 feb How is that possible And i know for sure the file is malicious
If a file was seemingly modified before it was created, it's likely the result of a file copy operation. There are a few videos on the channel that go into detail about this if you are interested.
Interesting.
Ah, but there are plenty of 3rd party tools that allow you to change the creation date of a file to an arbitrary timestamp. so the malware creators could just use the techniques followed by those tools. And there are very legitimate reasons to change the creation date. One example is a feature of ExifTools that allows you to set it to the DateTimeOriginal EXIF tag for JPEG files. That way, the creation date of a photograph file will match the time at which it was taken, which is totally legitimate and very useful.
I'm sure I've heard of this, under a different term. I will probably just refer to this as windows tampered file system or W T F for short. I mean file system tunneling is a completely different thing. That's a costly system resource on equipment and time; perhaps it all takes place on the cache. Probably only does this for certain apps or file types. For me, file manager only changed the modification date, and then only if I changed the file by a bit.