Establish the accur...
 
Notifications
Clear all

Establish the accuracy of the system clock

15 Posts
6 Users
0 Likes
1,022 Views
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
Topic starter
 

A question to the group, what are some methods used to establish the accuracy of the system clock without actually having the suspect's system to confirm the date/time settings. What methods are most reliable and why?

Thanks All -)

 
Posted : 27/09/2005 7:33 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…without actually having the suspect's system to confirm the date/time settings.

That depends…what do you have? An image of the drive? Only an email?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 27/09/2005 7:50 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Like Harlan said it depends on what you have, but odds are if you have the registry intact you could see what if any NTP server they were using, and try to check it against time.gov servers for accuracy.
You could check here in the registry for time configurations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

If you have an email you could look at the times the email was transmitted from the mail servers in the header. I'm not sure how reliable these are in terms of court proceedings but they seem reasonable to me in order to verify time.

 
Posted : 27/09/2005 9:44 pm
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
Topic starter
 

Thanks for the replies, I forgot to add I am workign with an image of the drive, this does include emails which I have confirmed the time the mail server processed the message(s). I di dnto think about checking the time server in the registry against a known time server, thanks Hogfly for that one -)

 
Posted : 27/09/2005 10:14 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Now that we have a bit more information, I'll expand on what hogfly said…

First, what are you opening the image in? EnCase? FTK? Something else?

Navigate to the System hive (HKLM\System), and locate the value for Select\Current. Then, using that value (call it "nnn") navigate to

System\ControlSetnnn\Services\W32Time\Parameters

This will give you the settings you're looking for. However, this still doesn't tell you how accurate the system time clock is, as it could have been changed, etc. Or what if the time service wasn't used at all?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 28/09/2005 1:14 am
(@ashay)
Posts: 6
Active Member
 

MSN and Hotmail messages are time stamped Server Time. Therefore if your user has any Hotmail or MSN HTML messages, do the following.

View the raw HTML and search for the term '&ct=' without quotes. Following this is a UNIX time stamp when the page was requested. By using a small utility such as Decode

http//www.digital-detective.co.uk/freetools/decode.asp

Copy the UNIX time and paste into Decode. Drop the list till you see UNIX NUMERIC VALUE and this will give you a fair amount of accuracy in determining what time the page was requested versus the time the HTML page was created on your users drive.

 
Posted : 28/09/2005 1:56 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Ashay,

Great info, but what does that have to do with ascertaining the accuracy of the system clock?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 28/09/2005 6:04 am
(@ashay)
Posts: 6
Active Member
 

My understanding from the question posed was, how is it possible to "establish the accuracy of the system clock". And by that I understand it to mean can times and dates be relied upon as MAC genuine. The poster stated that they were working with an image of the drive, and would deem the answer I stated in previous post as a viable method

If suspect went onto MSN and accessed his /her Hotmail account, the time stamp is at the MSN Server. Therefore if the time stamp embedded in the HTML page in UNIX is given at say 1500, but the file creation on the suspects drive might be 1742. The time differential would be 2.42

It is an independent method to determine MAC times using an external time stamp.

If I've missed the plot completly, apologies to the board.

 
Posted : 28/09/2005 1:15 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Ashay,

No one said you "missed the plot", I was simply hoping that you'd give an explanation as to how the information you provided in your first post could be used. Thanks.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 28/09/2005 4:08 pm
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
Topic starter
 

- Harlan, we are using FTK to examine the image

- Ashay, I can see your methodology I am not certain it is relevant in this case, but again not bad information to keep in mind.

I have done testing previously, (Harlan I think you may remember this.) where I found a document or documents where the modified date was previous to created date. from this is was able to determine if you created a file on a system in a time zone later than the one modifying it you were able to obtain results where the modified date was earlier than the creation date.

What I was looking for here, and have got some answers to was how, from an image was I able to determine beyond a reasonable doubt what the time was set at on the suspect machine. With that being said this does not mean the suspect may not have modified the date and/or time on the machine but hopefully they may have left traces of that in the documents themselves.

Hopefully this eliminates any confusion of the original question.

Thanks All

 
Posted : 28/09/2005 6:22 pm
Page 1 / 2
Share: