As if investigations were not already complicated enough, we also have to contend with various timestamp formats. There is a wide range of time formats available, and it is crucial to understand the differences in order to create an accurate timeline.
Tampering
It’s possible to tamper with some timestamps.
ποΈ TODO: How?
Time Zone Changes or Daylight Saving Time: If a file is created and then modified in a different time zone, or if the time zone setting on the computer is changed, the modification time could appear to be earlier than the creation time. Similarly, switching between standard time and daylight saving time could cause a similar discrepancy.
Restoring Files: If a file is restored from a backup, the creation time might be the restoration time, but the modification time would be the last modification before the backup.
Files copied. Sometimes, if you copy a file to a different location, the new copy may have a new creation time (the time when the copy was made), but still retain the original file’s earlier modification time.
Time Formats and Standards
GMT and UTC are the same and usually are used interchangeably. Although, there is some difference: https://www.timeanddate.com/time/gmt-utc-time.html.
βοΈBut GMT is a time zone and UTC is a time standard. So, UTC+0 = GMT
The following format 2022-09-27T10:42:41.947Z
it’s ISO 8601. I don’t think it’s possible to determine the timezone based solely on the format itself. Many times you have to know the configs for the server to be sure. However, if you see something like 2022-09-27T10:42:41.947+0000
, it’s showing the time zone as well: +0000
tells it’s GMT/UTC +0.
Convert from UTC to local time: https://support.microsoft.com/en-us/topic/how-to-convert-utc-time-to-local-time-0569c45d-5fb8-a516-814c-75374b44830a.
Looks like if there is +00Z
at the end of a date-time string, it’s UTC, otherwise - local time.
Since then, GMT is no longer a time standard. Today, Greenwich Mean Time (GMT) is only the name of a time zone that is used by a few countries in Africa and Western Europe, including the UK during winter and all year in Iceland.
Examples
1994-11-05T08:15:30-05:00
corresponds to November 5, 1994, 8:15:30 am, US Eastern Standard Time.
So, letβs say in Greenwich today is January 27th, 2020 at 6:00 AM. Using ISO standard, this would be as follows: 2020β01β27T06:00:00Z (Greenwich) 2020β01β27T00:00:00β06:00 (MΓ©xico City) 2020β01β27T14:00:00+08:00 (Beijing)
Basically, even if it’s blowing my mind, when you see +
, you subtract to get the UTC time and when you see -
-, you add to get the UTC.
https://www.w3.org/TR/NOTE-datetime
2019-11-14T00:55:31.820Z
is the same as 2019-11-14T00:55:31.820+0000Z
. https://stackoverflow.com/questions/58847869/utc-vs-iso-format-for-time
Different date-time formats: https://www.utctime.net/.
1994-11-05T13:15:30Z corresponds to the same instant.
βοΈ So, if the timestamp logged is local, there is no telling the exact time from the actor’s point of view unless you know the time zone at the of the event.
The Importance Of Timestamps
If something was downloaded and accessed over several days, the suspect knew about this file. Otherwise, they might prove they didn’t. There also might be a pattern that tells a lot about possible motives. If the files were deleted, it also might prove that the user knew about them and wanted to hide them and not keeping for themselves but for distribution only (if they, say, emailed those files before deleting them).
There are several timestamps: timestamps the file systems keep in their metadata, timestamps of the files controlled by the OS and FS, and timestamps in the files’ metadata. More?
Tools π :
- FileList.
file list <directory_to_process> /s /md5 /sha256 /owners /fullpath > evidence.csv
./s
- recursive search,/owners
- identify the user,fullpath
- full directory path. Open this .csv in Excel as a delimited file, start the processing from the third row (skip the headers) and use the tab and comma as delimiters. Filters and pivot tables in Excel can be of use. - Autopsy. Has a dedicated feature for timeline creation. Better use Hash lookup with NSRL, Recent Activity and EXIF data modules. Based on Sleuth Kit, you can use the below commands to manually get the same info in the command line.
- Sleuth Kit.
fls -r -m "/" -o <offset> <image/disk> > bodyfile.txt
and afterwards:mactime.pl -b bodyfile.txt -d > timeline.csv
. For timezone --z
.
Timelines are created based on the following sources:
- MAC data
- System logs
- Event logs
- E-mails
- Internet history
- File metadata
File Systems Timestamps
NTFS vs APFS
Mind that APFS timestamps and NTFS timestamps are different! When you add a file to the system (for example, copy it from a USB drive), the MAC times are changed with NTFS. However, the APFS Added attribute is added, providing you with more information.
β οΈ Both for APFS and NTFS, the last accessed times might not be updated. Refer to the artefacts page mentioned above for more information.
NTFS has an additional MAC attribute - EM (entry modified). That’s the time when $MFT
is modified.
NTFS Last Accessed Update (Win10+) -
80000000 (hex) = User Managed, Last Access Updates Enabled 80000001 (hex) = User Managed, Last Access Updates Disabled 80000002 (hex) = System Managed, Last Access Updates Enabled - default for Windows 11 (in my case). 80000003 (hex) = System Managed, Last Access Updates Disabled
LNK files
These have timestamps embedded. They are “screenshots” of the host file at the time of link file creation. In the case of the Recent
folder, this is the time when the file was first accessed.
Application Specific Timestamps
kubectl describe pod podname # to see the pod description, MAC times and settings
References
[1] Digital Archaeology LiveLessons (Video Training), Safari by [Michael W Graves](https://learning.oreilly.com/search?query=author%3A"Michael W Graves"&sort=relevance&highlight=true)