±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34614
New Yesterday: 0 Visitors: 188

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Detection Of Backdating The System Clock In MacOS

Wednesday, January 31, 2018 (11:42:44)

Detection Of Backdating The System Clock In MacOS

by Oleg Skulkin & Igor Mikhaylov

Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there are a lot of information to help, for example, this SANS white paper by Xiaoxi Fan, but there is nothing about macOS.

Let’s start from macOS timestamps as they are very interesting and have a lot of evidentiary value. Let’s start from running mdls command on a sample file.

Read More


Advertisement

1 comment

Log in to post a comment. The comments are owned by the poster. Forensic Focus is not responsible for their content.
Threshold
PanTovarnik

1. Re:

Very good paper, thank you for compiling all this information.

I guess we could also add fsevents to the list of places to look for signs of backdating. If we're lucky a new file system activity log file could be created during the backdating activity.