±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Thrustworthyness of MAC times ...

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

gmarshall139
Senior Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 04, 06 02:04

By default Windows XP syncs to the windows time server weekly. You would also expect to see these updates, as there will be a time change, if only a second or two. From what I'm reading I think you are on to something.

More testing may be necessary though. What if I changed the time, performed the steps I set out to, then changed it back. All without shutting the computer down.
_________________
Greg Marshall, EnCE 
 
  

cosimo
Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 05, 06 00:57

Hi Koko and gmarshall,

The last modified time of the TimeZoneInformation key is 4/5/2006 9:55:24,
that is before the system had completed its boot (as can be seen by the fact that the first 6005 eventid entry in the Event Log is timestamped at 9:55:44).
Furthermore, the event log registered the following sequence of events:

4/5/2006 10:00:43 AM eventlog None 6006
4/5/2006 9:57:09 AM Service Control Manager None 7036
4/5/2006 9:57:09 AM Service Control Manager None 7036
4/5/2006 9:57:08 AM Service Control Manager None 7036
4/5/2006 9:57:07 AM Service Control Manager None 7035
4/5/2006 9:57:04 AM Service Control Manager None 7035
4/5/2006 9:56:59 AM Service Control Manager None 7036
4/5/2006 9:56:59 AM Service Control Manager None 7035
4/5/2006 9:56:29 AM Service Control Manager None 7036
4/5/2006 9:56:26 AM Service Control Manager None 7035
4/5/2006 9:56:26 AM Service Control Manager None 7036
4/5/2006 9:56:25 AM Service Control Manager None 7036
4/5/2006 9:56:25 AM Service Control Manager None 7035
4/5/2006 9:56:25 AM Service Control Manager None 7036
4/5/2006 9:56:25 AM Service Control Manager None 7035
4/5/2006 9:55:44 AM eventlog None 6005
4/5/2006 9:55:44 AM eventlog None 6009

the bottom two lines register when the machine boots . After that, there is a sequence of messages registered when a service is started (7035) or stopped (7036). This sequence is generated by the services started by the OS, and shows that services were being started after the machine booted. If the clock had been brought back and forth, we would observe some out-of-sequence timestamps, since the time stamp of those generated while the clock was set to Jan 20th would carry that date, and then the other ones generated after the clock had been rested to Apr. 5th would carry the correct date.
As can bee seen by the log, there are no out-of-sequence timestamps, and this should show that the clock has not been brought back and forth. At least, this is the conclusion I would like to draw Smile
What do you think?

-- Cosimo  
 
  

iruiper
Senior Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 05, 06 13:02

Hi,

I still don't understand all the stuff about the registry and the event log... but I would like to point out something quite simple: what if some software has been used to modify files attributes? For example AttributeMagic.  
 
  

gmarshall139
Senior Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 05, 06 17:17

I think it builds your case in that direction. I don't think it's definitive.

Can I switch the clock, then create/modify a few files without creating a log entry?

If I did create an out of sequence log entry could I delete the entry from the log?

Could I attach the hard drive to another computer and alter/add the files I wanted without booting it's OS?

Can I use something such as Attribute Magic to alter those times?

Could I manually alter the MFT entries for the files in question?

I don't think you'll answer these questions definitively from the computer alone. The people who possessed the computer are part of the chain of custody now. They can testify to what they did with it.
_________________
Greg Marshall, EnCE 
 

Page 2 of 2
Page Previous  1, 2