⏱️ Timelines And Timestamps

As if investigations needed to be simplified, we must contend with various timestamp formats. There is a wide range of time formats available, and it is crucial to understand the differences to create an accurate timeline.

SANS Windows Forensic Analysis poster - https://www.sans.org/posters/windows-forensic-analysis/. It contains Windows Time Rules showing how different activities like file renaming or copying can change the timestamps.

Tampering

It’s possible to tamper with some timestamps.

🗒️ TODO: How? On Windows, some API calls. Which one?

Time Zone Changes or Daylight Saving Time: If a file is created and then modified in a different time zone, or if the time zone setting on the computer is changed, the modification time could appear to be earlier than the creation time. Similarly, switching between standard time and daylight saving time could cause a similar discrepancy.

Restoring Files: If a file is restored from a backup, the creation time might be the restoration time, but the modification time would be the last modification before the backup.

Files copied. Sometimes, if you copy a file to a different location, the new copy may have a new creation time (the time when the copy was made), but still retain the original file’s earlier modification time.

✍️ If the file system timestamps of a file were tampered with, check the file with a close MFT record number. The numbers are assigned sequentially.

Time Formats and Standards

GMT and UTC are the same and usually are used interchangeably. Although, there is some difference: https://www.timeanddate.com/time/gmt-utc-time.html.

❗️But GMT is a time zone, and UTC is a time standard. So, UTC+0 = GMT

Here is a UTC timestamp 2022-09-27T10:42:41.947Z in ISO 8601 format, note there is no timezone offset, only Z at the end. If you see 2022-09-27T10:42:41.947 (no Z at the end), it’s a local timestamp. In that case you often have to know the configs for the server to convert the timestamp to UTC. However, if you see something like 2022-09-27T10:42:41.947+0000, it’s a local timestamp in ISO 8601 with the timezone offset showing the time zone: +0000 tells it’s GMT/UTC +0.

🛠️ Convert from UTC to local time here.

Since then, GMT is no longer a time standard. Today, Greenwich Mean Time (GMT) is only the name of a time zone used by a few countries in Africa and Western Europe, including the UK during winter and all year in Iceland.

🧐 Let’s consider a local timestamp with a timezone like this: 2023-11-05T08:15:30-05:00. The -5:00 at the end represents the offset, indicating the number of hours the timezone is ahead or behind UTC. Regardless of the specific timezone, our example is 5 hours behind UTC. Therefore, to obtain the UTC timestamp, we subtract 5 hours from it. Consequently, we would have 2023-11-05T13:15:30 UTC.

🧐 Let’s take a look at another example. Imagine, if you will, it’s a frosty morning on January 27th, 2020 at precisely 6:00 AM, and we find ourselves in the heart of London. Since the UK uses GMT during winter, the timestamp is the same as in UTC. But what of distant México City and bustling Beijing? México City is 6 hours behind UTC, so we must subtract 6 hours from our UTC timestamp, and we will get 2020–01–27T00:00:00 in Mexico City. On the other hand, to leap forward to Beijing, which is 8 hours ahead, we add 8 hours to the UTC timestamp and get 2020–01–27T14:00:00 the local timestamp.

❗️So, when converting from local to UTC, we look at the offset and reverse the operation. If it shows -5:00, we add 5 hours; if it shows +5:00 we subtract. However, when we convert from UTC to local timestamp, we do vice versa: subtract when it’s -5:00 and add when it’s +5:00.

Windows

Registry key 🔑 SYSTEM\CurrentControlSet\Control\TimeZoneInformation contains timezone info.

❗️ Internal log files and date/timestamps will be based on the system time zone information.

The Importance Of Timestamps

If something was downloaded and accessed over several days, the suspect knew about this file. Otherwise, they might prove they didn’t. There also might be a pattern that tells a lot about possible motives. If the files were deleted, it also might prove that the user knew about them and wanted to hide them and not keeping for themselves but for distribution only (if they, say, emailed those files before deleting them).

There are several timestamps: timestamps the file systems keep in their metadata, timestamps of the files controlled by the OS and FS, and timestamps in the files’ metadata. More?

Tools 🛠:

• FileList. file list <directory_to_process> /s /md5 /sha256 /owners /fullpath > evidence.csv. /s - recursive search, /owners - identify the user, fullpath - full directory path. Open this .csv in Excel as a delimited file, start the processing from the third row (skip the headers) and use the tab and comma as delimiters. Filters and pivot tables in Excel can be of use.
• Autopsy. Has a dedicated feature for timeline creation. Better use Hash lookup with NSRL, Recent Activity and EXIF data modules. Based on Sleuth Kit, you can use the below commands to manually get the same info in the command line.
• Sleuth Kit. fls -r -m "/" -o <offset> <image/disk> > bodyfile.txt and afterwards: mactime.pl -b bodyfile.txt -d > timeline.csv. For timezone - -z.

Timelines are created based on the following sources:

• MAC data
• System logs
• Event logs
• E-mails
• Internet history
• File metadata

File Systems Timestamps

Timestamps vary between different file systems. Usually, they include creation, modification, access times and sometimes metadata change times as well. By reviewing which of these are equal or how they differ, one can infer what happened to the file.

✍️ Notes ❗️Office apps update access times 🍏 even when these are disabled through the registry. ❗️API calls can be leveraged to tamper with the timestamps. ❗️Most compression tools backdate the modification times of the unzipped files to the time when the archive was created, making it look like a file copy. ❗️Some scanners, including AV update timestamps on each scan.

NTFS

❗️Uses UTC for the timestamps. For more info, see the Artfacts DB -> File Systems -> NTFS.

Use the poster to help. It will show how different file system timestamps change depending on the activity performed with the file. There are 4 timestamps used on NTFS: M (modification 🍉), A (access 🍏), C (Metadata change 🍒) and B (file created/born 🍌).

1. File Renamed: $Standard_Information 🍒, $Filename - none
2. Local file move: $Standard_Information 🍒, $Filename - 🍉🍒
3. Volume file move: $Standard_Information 🍏🍒, $Filename - 🍉🍏🍌 🍒
4. File copy: $Standard_Information 🍏🍌🍒 , $Filename - 🍉🍏🍌 🍒
5. File Access: $Standard_Information 🍏 (old Win) , $Filename - none
6. File Modify: $Standard_Information 🍉 🍒 , $Filename - none
7. File Creation: $Standard_Information 🍉🍏🍌 🍒, $Filename - 🍉🍏🍌 🍒
8. File Deletion: $Standard_Information none, $Filename - none

✍️ If you see that a file was created 🍌 AFTER it was modified 🍉, it is indicative of a file copy, even when the file was copied from another system. It can sometimes highlight the lateral movement event.

NTFS vs APFS

Mind that APFS timestamps and NTFS timestamps are different! When you add a file to the system (for example, copy it from a USB drive), the MAC times are changed with NTFS. However, the APFS Added attribute is added, providing you with more information.

⚠️ Both for APFS and NTFS, the last accessed times might not be updated. Refer to the artefacts page mentioned above for more information.

NTFS has an additional MAC attribute - EM (entry modified). That’s the time when $MFT is modified.

NTFS Last Accessed Update (Win10+) -

80000000 (hex) = User Managed, Last Access Updates Enabled 80000001 (hex) = User Managed, Last Access Updates Disabled 80000002 (hex) = System Managed, Last Access Updates Enabled - default for Windows 11 (in my case). 80000003 (hex) = System Managed, Last Access Updates Disabled

Application Specific Timestamps

kubectl describe pod podname # to see the pod description, MAC times and settings

❗️ Date stamps reflect the time that they were before the archive was created.

Building Timelines

TODO: Diagram

First, identify the scope. No need to get ALL the data from the start. Limit it to some manageable size. Hopefully, you will have A and B points denoting the start and end of the incident.

Then, you need to narrow the pivot point. You can use a filename, event, or user account (artefact or time-based).

Determine which data sources are the most relevant for this investigation. Are you good with just the NTFS file system timelines (🛠️ MFTECmd and 🛠️ fls, then)? Or is it some other FS type (fls only, then)? Or maybe the filesystem timeline is insufficient, then 🛠️ Plaso will fit the purpose.

After the timeline is created, filter it for relevant and suspicious entries.

Analyse the timeline by focusing on the context of the evidence discovered. Use the poster to help (Windows systems only).

macb refer to modified 🍉, accessed 🍏, metadata change 🍒, birth/created 🍌. When you see m.c. it means that the modified 🍉 and metadata change 🍒 timestamps are the same, and accessed 🍏 and birth/created 🍌 are either different or not present.

# create a body file
📘 MFTECmd.exe -f "E:\C\$MFT" --body "F:result" --bodyf timeline_mft.body --blf --bdl C: # cannot be used on a live system. NTFS only
📘 fls [options] image [inode] # works on an image or a live system. Also, can work on other filesystems including CDROM.

# convert the body file to a timeline 
📘 mactime -d -b timeline_mft.body -z UTC > timeline.csv


# ===============================================================
# ===================== PLASO ===================================
# ===============================================================
# create a timeline with Plaso
📘 log2timeline --parsers "webhist,!binary_cookies" outputfile imagefile -z timezone # this command will process imagefile with all webhist parsers excluding binary_cookies and output the result in an outputfile. 

# another filter to find all NTUSER.DAT files: /Users/AppData/Roaming/.+/NNTUSER[.].DAT

📘 log2timeline --file_filter filter_custom.txt outputfile imagefile # either use txt filter files or yaml. The latter support the "exclude" operator.
📘 pinfo.py -v outputfile | more
📘 pinfo.py -v outputfile | less
📘 psort.py --output-time-zone 'UTC' -o l2tcsv -w result.csv outputfile [FILTER] # there are many output format, for example, elastic which can be fed into Elasticsearch.
📘 psort.py --output-time-zone 'UTC' -o l2tcsv -w result.csv outputfile "date > datetime('2023-07-01T00:00:00') AND date < datetime('2023-07-02T00:00:00')" # here the [FILTER] option was provided to narrow the timeline to the time of the incident.

When you have a timeline file (either from the 🛠️ mactime or 🛠️ Plaso), open the file with Numbers, Excel or 🛠️ TimelineExplorer or ingested into a SIEM like Elastic. Also, the resulting timeline can be searching for 🛠️ YARA signatures with 🛠️ yara_match.py.

🗒️ TODO: Create a poster similar to SANS but for Linux/macOS.

🛠️ Tools

Two main tools can be used on a Windows machine to create a timeline: 🛠️ MFTECmd and 🛠️ fls to create body files for further processing; 🛠️ mactime to process the body file and create a timeline and 🛠️ Plaso (🛠️log2timeline is its frontend, 🛠️ pinfo collection metadata and psort to process and normalise the 🛠️ log2timeline output). Here is a full list of all 🛠️ Plaso parsers.

🛠️ log2timeline can process raw images, EWF, virtual disks, physical devices, and volume via partition num, and triage folder. Here is an example of text filter for the tool:

/(Users/Documents And Settings)/.+/NTUSER.DAT # only process all  NTUSER.DAT (user profiles)

And here is an. example of a .yaml filter:

description: Exclude Windows Event Log files
type: exclude
path_separator: '\'
paths:
- '%SystemRoot%\\System32\\config\\.+[.]evt'

❗️ Special characters should be between square brackets [].

References

[1] Digital Archaeology LiveLessons (Video Training), Safari by [Michael W Graves](https://learning.oreilly.com/search?query=author%3A"Michael W Graves"&sort=relevance&highlight=true)