⏱️ Timelines And Timestamps

Time formats and Standards

GMT and UTC are the same and usually are used interchangeably. Although, there is some difference: https://www.timeanddate.com/time/gmt-utc-time.html.

❗️But GMT is a time zone and UTC is a time standard. So, UTC+0 = GMT

The following format 2022-09-27T10:42:41.947Z it’s ISO 8601. I don’t think it’s possible to determine the timezone based solely on the format itself. Many times you have to know the configs for the server to be sure. However, if you see something like 2022-09-27T10:42:41.947+0000, it’s showing the time zone as well: +0000 tells it’s GMT/UTC +0.

Convert from UTC to local time: https://support.microsoft.com/en-us/topic/how-to-convert-utc-time-to-local-time-0569c45d-5fb8-a516-814c-75374b44830a.

Looks like if there is +00Z at the end of a date-time string, it’s UTC, otherwise - local time.

Since then, GMT is no longer a time standard. Today, Greenwich Mean Time (GMT) is only the name of a time zone that is used by a few countries in Africa and Western Europe, including the UK during winter and all year in Iceland.

Examples 1994-11-05T08:15:30-05:00 corresponds to November 5, 1994, 8:15:30 am, US Eastern Standard Time.

So, let’s say in Greenwich today is January 27th, 2020 at 6:00 AM. Using ISO standard, this would be as follows: 2020–01–27T06:00:00Z (Greenwich) 2020–01–27T00:00:00–06:00 (MΓ©xico City) 2020–01–27T14:00:00+08:00 (Beijing)

Basically, even if it’s blowing my mind, when you see +, you subtract to get the UTC time and when you see - -, you add to get the UTC.

https://www.w3.org/TR/NOTE-datetime

2019-11-14T00:55:31.820Z is the same as 2019-11-14T00:55:31.820+0000Z. https://stackoverflow.com/questions/58847869/utc-vs-iso-format-for-time

Different date-time formats: https://www.utctime.net/.

1994-11-05T13:15:30Z corresponds to the same instant.

❗️ So, if the timestamp logged is local, there is no telling the exact time from the actor’s point of view unless you know the time zone at the of the event.

The Importance Of Timestamps

If something was downloaded and accessed over several days, the suspect knew about this file. Otherwise, they might prove they didn’t. There also might be a pattern that tells a lot about possible motives. If the files were deleted, it also might prove that the user knew about them and wanted to hide them and not keeping for themselves but for distribution only (if they, say, emailed those files before deleting them).

There are several timestamps: timestamps the file systems keep in their metadata, timestamps of the files controlled by the OS and FS, and timestamps in the files’ metadata. More?

Tools πŸ› :

  • FileList. file list <directory_to_process> /s /md5 /sha256 /owners /fullpath > evidence.csv. /s - recursive search, /owners - identify the user, fullpath - full directory path. Open this .csv in Excel as a delimited file, start the processing from the third row (skip the headers) and use the tab and comma as delimiters. Filters and pivot tables in Excel can be of use.
  • Autopsy. Has a dedicated feature for timeline creation. Better use Hash lookup with NSRL, Recent Activity and EXIF data modules. Based on Sleuth Kit, you can use the below commands to manually get the same info in the command line.
  • Sleuth Kit. fls -r -m "/" -o <offset> <image/disk> > bodyfile.txt and afterwards: mactime.pl -b bodyfile.txt -d > timeline.csv. For timezone - -z.

Timelines are created based on the following sources:

  • MAC data
  • System logs
  • Event logs
  • E-mails
  • Internet history
  • File metadata

File Systems Timestamps

NTFS vs APFS

Mind that APFS timestamps and NTFS timestamps are different! When you add a file to the system (for example, copy it from a USB drive), the MAC times are changed with NTFS. However, the APFS Added attribute is added, providing you with more information.

⚠️ Both for APFS and NTFS, the last accessed times might not be updated. Refer to the artefacts page mentioned above for more information.

NTFS has an additional MAC attribute - EM (entry modified). That’s the time when $MFT is modified.

NTFS Last Accessed Update (Win10+) -

80000000 (hex) = User Managed, Last Access Updates Enabled 80000001 (hex) = User Managed, Last Access Updates Disabled 80000002 (hex) = System Managed, Last Access Updates Enabled - default for Windows 11 (in my case). 80000003 (hex) = System Managed, Last Access Updates Disabled

LNK files

These have timestamps embedded. They are “screenshots” of the host file at the time of link file creation. In the case of the Recent folder, this is the time when the file was first accessed.

Application Specific Timestamps

kubectl describe pod podname # to see the pod description, MAC times and settings

References

[1] Digital Archaeology LiveLessons (Video Training), Safari by [Michael W Graves](https://learning.oreilly.com/search?query=author%3A"Michael W Graves"&sort=relevance&highlight=true)