Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: mactimes

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: mactimes
Date: Fri, 12 Nov 2004 11:11:16 -0500 
On Wed, 10 Nov 2004 10:29:38 CST, "Potter, Timothy" said:

If mactimes can easily be modified by a hacker, then would I know, and how
would mactimes be utilized in court?

I have a Microsoft Excel file on a fat12 floppy disk.
Here are the mactimes:

modified: 9/28/2004 @ 9:12AM CST
accessed: 9/29/2004 @ 4:38PM CST
created: 10/1/2004 @ 1:12 AM

So, how can the created time be later than the last modified time?? This
doesn't help in establishing a clear timeline of events.. Thanks, -Tim


What, you never seen somebody click the wrong button on the little GUI and
set the date on the system wrong? :)

I'd start with the speculation that the system was booted with the clock
set 3 or 4 days or maybe a week off, the file created, then the system
clock was reset and the file modified and accessed.  Other possibility
is that the floppy was created on a machine with a borked clock, and then
updated on another machine with a different clock setting.  (Actually,
the only thing you "know" is that the clock settings are different - I'd
hate to have to testify in court if one was 3 days fast or the other 3 days
slow without other forensic evidence to back me up).

I *think* Windows cuts an event log record if the clock is changed, you might
want to see if you have any of those around.  If more than one machine is
involved, you may have a tough time of things...

We once ( well over a decade ago) worked an incident here on campus, and were
correlating logs, and we had one machine who's time was 15 minutes 37 seconds
(or something odd like that) off, so we were continually adding and subtracting
15 mins 37 seconds as we chased from that machine to others and back. And of
course we've been at it a few hours, and we're starting to make mistakes and
getting the adjustment in the wrong direction and getting frustrated when we'd
not find a matching log entry at 31 minutes 14 seconds from where we *should*
have been looking (this was the incident that convinced the hold-outs that NTP
was a Really Good Idea ;). Then somebody asked "Why does that machine say it's
Tuesday, and it's Wednesday?".

The clock was in reality 365 days, 15 mins, 37 seconds off.

<cue screams of anguish from the entire CIRT team>

Attachment: pgpufGjZrnPbI.pgp
Description: PGP signature

[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MD5 Collisions and Evidence Integrity, Gavin Reid
Next by Date:  RE: mactimes, Warren Kruse
Previous by Thread:  Re: mactimes, Rogan Dawes
Next by Thread:  RE: mactimes, Warren Kruse
Indexes:  [Date] [Thread] [Top] [All Lists]