Module 2 Timelines and Such

1
Module 2 Timelines and Such
Highline Community College Seattle University
University of Washington in conjunction
with the National Science Foundation
2
MACTimes

• Who, what, when, where and how?
• When may be more important than what
• atime, mtime, ctime, dtime, last
• ChangeTime, CreationTime, LastAccessTime,
  LastWriteTime
• Historical times may not be available except on
  backups, journaling file systems, etc.

3
Viewing items

• ls l
• TCTs mactime tool
• Uses lstat() system call
• Windows has third party tools
• Explorer, write mouse click and use all tabs

4
Issues with MACTimes

• GUI based tools can change the atime
• Importance of using a forensic tool on an image
  that cannot be altered
• Opening a directory can change the access time,
  be sure to use lstat()
• Hashes must be done after an lstat()

5
Issues with MACTimes (contd)

• Do not show history
• MACTimes degrade with time
• OOV
• Easily forged
• touch command
• utime() on both UNIX and NTFS
• NT has the SetFileTime() call to change all three

6
Looking for Things

• Unusual port numbers being accessed
• An ftp port being used for a long time
• What other systems did this person access?

7
Where to Look

• Kernel and processor memory
• Unallocated disk space
• Deleted files
• Swap files
• Peripherals and other items that may have
  fragments of information

8
OnLine

• Bind DNS daemon
• DNS records
• PTR map IP to host name
• A address records, computer name to IP number
• MX mail exchange, tells where to send the mail
• TTL time to live, Binds time left for a
  request in cache and the real TTL, you can
  determine when it was sent.

9
Problems with Time

• Sychronization
• Power battery or power failure
• Accuracy, drift
• Time zones
• Moving a computer to another time zone
• Intruders altering time or resetting clocks