±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 88

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Thrustworthyness of MAC times ...

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

cosimo
Member
 

Thrustworthyness of MAC times ...

Post Posted: Apr 23, 06 20:30

Hello,

I am analyzing the image of a Windows XP disk that was used by a supposedly unfaithful employee, and was given back to the employer on Apr; 6th, 2006. Before Apr. 7th, the disk was in a laptop unaccessible to the employer. Unfortunately, the employer decided to analyze the disk on Apr. 12th, so there have been 6 days in which the data on disk could have been modified by somebody else. On this disk it was found a folder containing unauthorized data whose creation date is Jan. 20th, 2006.
If I was the emplIoyee, I would defend myself saying that the folder has been put there by the employer, that before creating it moved back the system date to Jan. 6th, 2006.
My question is: is there a way to determine if (and when) the system date has been changed (either from Windows or from the BIOS) ? For example, is there some registry entry containing this information?

Thanks a lot in advance to anybody answering this question.

-- Cosimo  
 
  

gmarshall139
Senior Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: Apr 23, 06 22:08

I don't think you'll be able to establish anything definitively either way. My first thought is to look at the restore points. Ideally the computer wouldn't have been booted at all for those six days. No restore points would be created. If however you see a restore point that is in sequence with the others, yet it's created dates within go back to Jan 20th you may be on to something.

If I were working for the employer I would try and show how the files in that folder came to be there. If there are several different sources, and time frames for files in that folder, then it certainly becomes harder to sell the conspiracy.
_________________
Greg Marshall, EnCE 
 
  

keydet89
Senior Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: Apr 24, 06 17:14

I'd have to agree with Greg's response.

I'd also like to add a couple of comments...

First, depending upon the auditing enabled, there may be a System Event Log entry showing that the system time had been altered through Windows. With regards to the Registry entry issue...well, you can certainly test that using tools such as RegMon and InControl5.

Harlan  
 
  

koko
Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: Apr 24, 06 23:44

couple of things sort of related: if the directory is not at the root of a drive, then you could prove that there was something wrong if the created dates of the parent directories were newer. also, and this may be a bit of a stretch, but apparently the mft contains an entry modified date as well as the mac dates. maybe this extra date, which is updated when the entry is updated, can give you some help. there's good info in brian carrier's book, 'file system forensic analysis'. unfortunately i havent had the time to really go over it. so anything that you find out, please report back to us. thanks.  
 
  

cosimo
Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 04, 06 00:28

Hello guys,

thanks a lot for your valuable info. Actually, thanks to it, I found a way to prove that the files had been put there by the employee, and I'd like to share it with you and to hear your comments.

First, I did an experiment in which I changed the date and time from Windows, and I saw with RegMon that when that happens, the TimeZoneInformation registry entry (located into C:\WINDOWS\system32\system) is written, so its last written date reports the last time in which the data has been modified. The same happens if the date is changed via the BIOS.
For the machine I am investigating, the system clock had been modified on Apr. 7th, 2006 at 8:55 am UTC (probably for the automatic update to the dayligth saving time), and in that day the machine was in the hands of the employer, that in theory could have purposedly put the unauthorized data there.
So, to show that the clock had not been set back to Jan. 20th 2006 and then set again to the correct date by the employer (to fake the unauthorized data creation date), I observed that Windows creates a 6005 event in the System Event Log when the machine is booted, and a 6006 event when the machine is shut down.
The fact that the clock has been changed automatically by Windows is showed by the fact that for Apr. 7th the time stamp of the corresponding 6005 entry is identical to that of the last written time of TimeZoneInformation.
Of course, one might say that Windows changed the date since the BIOS date setting had been changed. However, in this case the time stamps of the 6005-6006 event pairs should be out of sequence data. To see this, I did another experiment in which I rebooted my machine, I set the BIOS date back to Jan 1st 2006, and than I made it complete the boot. After the boot, the System Event Log contained a 6005 event whose time stamp was Jan. 1st, 2006, preceeded by the 6005-6006 pair whose time stamp was May 2nd, 2006. Since the System Event Log of the suspect disk did not contain any out-of-sequence 6005-6006 event pair, the BIOS date settings had not been changed.

I'd like to hear from you if you think that my conclusions are definitive.

Thanks a lot,

Cosimo  
 
  

cosimo
Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 04, 06 00:38

... in my previous post I forgot to add that the other option to change the MAC times (using the SetFileTime() API) is not a problem, since the Italian legislation says that is the employee that has to prove that the employer used it, and since using SetFileTime() does not leave any trace, this cannot be shown in any way.

Cosimo  
 
  

koko
Member
 

Re: Thrustworthyness of MAC times ...

Post Posted: May 04, 06 01:57

I'm confused. You don't have to reboot in order to change the date in windows.  
 

Page 1 of 2
Page 1, 2  Next