Mechanism of Evasion

  1. Partition Creation: Using Disk Management (diskmgmt.msc) or command-line tools (diskpart), the user creates a new partition on one of their physical storage devices. This partition might be formatted with NTFS or potentially a less forensically rich filesystem like FAT32 or exFAT.

  2. Activity Confinement: Cheat files, tools, or temporary data related to malicious activity are placed, executed, or stored within this newly created partition.

  3. Journaling Avoidance:

    • If the new partition is FAT32/exFAT, it inherently lacks robust journaling ($UsnJrnl, $LogFile), making tracking file operations within it difficult via standard NTFS methods.

    • If the new partition is NTFS, it will have its own separate set of metafiles ($MFT, $UsnJrnl, $LogFile), distinct from the main system volume (C:). Activities confined to this partition will be logged in its journal, not the C: drive's journal. A ScreenSharer focused only on the C: drive's journal would miss these events.

  4. Partition Deletion: Before or during the screenshare, the user deletes the entire partition containing the incriminating files or activity logs. This removes not just the files but the entire filesystem structure for that partition, including its specific $MFT and journal (if it was NTFS).

PreviousDisk Partition Manipulation for EvasionNextForensic Implications

Last updated