← All rules
IOI-011 · IoI Rule · Temporal
LNK vs. $MFT $SI Timestamp Divergence
✓ Validated Temporal LNK $MFT
Contributed by @ioi-framework · 2025-01-01 · v1.3 · View scenario →
Invariant predicate φ
The LNK shortcut creation time must agree with the MFT $FN (0x30) creation timestamp for the same entry at second-level precision while diverging from the MFT $SI (0x10) timestamp.
Download ioi-011.rq ↗
Tested on: Virtuoso 7.2 (OpenLink OSE)

Dependency specification

  1. LNK filestargetMftEntryNumber, targetCreatedTime, observableCreatedTime
  2. $MFTcreated0x10 ($SI) and created0x30 ($FN) timestamps keyed by entryNumber

Matching is on MFT entry number, which is stable across timestamp manipulation.

The LNK shortcut creation time and MFT $SI creation time for the same entry must diverge. The $FN timestamp (harder to manipulate via user-mode tools) must still agree with the LNK value at second-level precision, confirming the divergence is isolated to $SI.

Contradiction condition

Fires when the LNK shortcut creation time differs from the MFT $SI creation time and the LNK time agrees with the MFT $FN creation time at second-level precision — indicating $SI was modified while $FN was not.

SPARQL signature (strict variant)

PREFIX core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX observable: <https://ontology.unifiedcyberontology.org/uco/observable/>
PREFIX ioi-ext: <https://ioi-framework.github.io/ns/ioi-ext/>

SELECT DISTINCT
  ?lnkFile ?lnkTargetPath ?lnkShortcutCreated
  ?lnkTargetCreated ?mftSiCreated ?mftFnCreated
WHERE {
  {
    SELECT DISTINCT
      ?entryNum ?lnkFile ?lnkTargetPath
      ?lnkTargetCreated ?lnkShortcutCreated
    WHERE {
      GRAPH <lnk_case11> {
        ?lnkFacet a ioi-ext:WindowsLnkFacet ;
                  ioi-ext:targetMftEntryNumber ?entryNum ;
                  ioi-ext:targetCreatedTime ?lnkTargetCreated ;
                  ioi-ext:targetFilePath ?lnkTargetPath .
        ?lnkFile core:hasFacet ?lnkFacet .
        OPTIONAL {
          ?lnkFile core:hasFacet ?lf .
          ?lf a observable:FileFacet ;
              observable:observableCreatedTime ?lnkShortcutCreated .
        }
      }
    }
  }
  GRAPH <mft_case11> {
    ?mftFacet a ioi-ext:MftFacet ;
              ioi-ext:entryNumber ?entryNum ;
              ioi-ext:created0x10 ?mftSiCreated ;
              ioi-ext:created0x30 ?mftFnCreated .
  }
  FILTER(BOUND(?lnkShortcutCreated) &&
         ?lnkShortcutCreated != ?mftSiCreated)
  FILTER(STRSTARTS(STR(?mftFnCreated),
                   SUBSTR(STR(?lnkShortcutCreated), 1, 19)))
}
ORDER BY ?lnkFile

Permissive variant

ioi-011-permissive.rq omits the $FN corroboration filter. Higher recall; flags any $SI/LNK divergence regardless of $FN agreement.

Graph IRI substitution

Replace <lnk_case11> and <mft_case11> with your named graph IRIs.